On Sun, Oct 19, 2025 at 11:45:38AM -0400, postfix--- via mailop wrote:
> On 2025-10-19 10:39, Alessandro Vesely via mailop wrote:
> > While you can self-sign a certificate saying that your name is
> > "example.com",
> > most CAs at least verify that the domain name is actually controlled by the
> > requestor.
>
> How about adding the fingerprint of the certificate to DNS, or even better
> publish the public key in some well-known URL on the server pointed by DNS?
> just sayin'
It seems you're inclined to reinvent DANE. It's been done already.
There are today at least ~4.27 million domains with DANE TLSA records
for SMTP. Example:
https://stats.dnssec-tools.org/explore/?ietf.org
Aggregate stats:
https://stats.dnssec-tools.org/
Postfix and Exim support DANE. In the case of Postfix also with RFC7250
raw public keys when nothing but the public key is needed.
--
Viktor. 🇺🇦 Слава Україні!
_______________________________________________
mailop mailing list
[email protected]
https://list.mailop.org/listinfo/mailop
