On Fri, Dec 12, 2025 at 09:24:23PM +0200, Edmund Lodewijks via Postfix-users
wrote:
> > The other one I guess I can wait a month and see if they have sorted
> > themselves out by my next statement.. but in that case I'm currently
> > losing mail I want so even if not technically my problem, I would like
> > to do something about it sooner than later if it continues..
>
> I wonder if someone could enlighten me as to whether enabling DANE would
> solve this for a self-signed certificate, or if a CA is a must in case
> someone configures a server with `smtp_tls_security_level = verify` (in
> case of Postfix - I reckon that is what possibly is going on here?).
Only for a sending system that:
1. Insists on authenticated TLS even when sending mail to systems
that don't advertise either of DANE or MTA-STS (perhaps retrying
in the clear or another policy later).
2. Supports outbound DANE.
I don't know how common "1" is "in the wild". Nor have any inkling what
fraction of "1" ultimately retry, or do "2".
--
Viktor. 🇺🇦 Слава Україні!
_______________________________________________
Postfix-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
