On Thu, Jan 29, 2026 at 09:55:58PM +0900, Byunghee HWANG (황병희) via
Postfix-users wrote:
> For days, i have been read DANE docs. Then, suddenly, a question
> occurred to me. Why is there no mention of port 587 in DANE?
>
> I'm sincerely curious. My current outbound SMTP settings are as follows:
>
> smtp_tls_security_level = dane
>
> May i use 587 port with DANE?
Yes, it works, but it may imprudent to rely on this if there's reason to
expec that the server operator does not have the necessary operational
diligence.
- Timely MONITORING of the correctness of the server's TLSA records
is essential.
- A robust certificate rollover process is essential, that avoids
brief or extended outages whent he certificaste is updated.
I don't know of any mainstream MUAs that support DANE, but if you have
one, or submission is server-to-server (Postfix-to-Postfix?), the it
suffices to publish:
_587._tcp.mail.domain.example. iN TLSA 3 1 1 ...current SPKI digest...
_587._tcp.mail.domain.example. iN TLSA 3 1 1 ...upcoming SPKI digest...
and for the client to either opportunistically ("dane" security level if
Postfix) or unconditionally ("dane-only" security level if Postfix)
make use of said TLSA records.
--
Viktor. 🇺🇦 Слава Україні!
_______________________________________________
Postfix-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
