On Mon, Apr 01, 2013 at 03:37:04AM +0000, Viktor Dukhovni wrote:
> > When can we expect a Postfix release, that will support DANE
> > protocol ? so that it(postfix) can verify (using DANE & DNSSEC
> > protocols) the signed (and free) SSL/TLS certificates(cert) (or
> > fingerprints) which we can pre-add in TLSA, (CERT, HASTLS, etc) DNS
> > (DNSSEC) records, and then it(postfix) will use those(cert) for
> > secure (smtp) communication, and to verify SMTP servers.
>
> If you're willing to be on the bleeding edge and want to help test
> code Wietse has not reviewed yet, you can try on a suitable
> non-critical system:
This is now available as a nonprod snapshot via the postfix.org mirrors
listed at:
http://www.postfix.org/download.html
e.g.:
http://cdn.postfix.johnriley.me/mirrors/postfix-release/experimental/postfix-2.11-20130426-nonprod.tar.gz
Online docs for the snapshot are at:
http://vdukhovni.github.io/postfix/
once this is a regular snapshot, the documentation will be at
http://www.postfix.org/documentation.html
Feedback appreciated on:
http://vdukhovni.github.io/postfix/TLS_README.html#server_cert_key
http://vdukhovni.github.io/postfix/TLS_README.html#client_tls_dane
If in the mean-time any one turns on more DNSSEC domains and
publishes TLSA RRs for the domain's MX hosts, please drop me a
note.
Recommendation is to publish either "2 1 1" (and of course include
the TA cert in the server's TLS trust chain) or "3 1 1". Feel free
to publish "3 1 1" for both RSA and ECDSA certs (Postfix MTAs can
be configured with both).
--
Viktor.
