On Thu, Jan 29, 2026 at 09:05:44AM -0500, Wietse Venema via Postfix-users wrote:
> Why use DANE for submission? The client is not supposed
> to look up MX records. Isn't DNSSEC without DANE sufficient?
With (port 25) SMTP mail to a recipient domain, DNSSEC is needed to
protect the integrity of the MX records, and secondarily (when TLSA
records are published) to ensure downgrade resistance of the TLSA
records which make TLS mandatory and provide the means to authenticate
the MX host.
With submission, the client generally knows the server name statically,
and protecting the IP address is not meaningful transport security.
So DNSSEC then "only" provides downgrade resistance and integrity for
the TLSA records. This still works as expected.
Client:
main.cf:
relayhost = [smtp.example.org]:587
smtp_tls_security_level = dane-only
Server:
DNS:
_587._tcp.smtp.example.org. IN TLSA 3 1 1 ...digest...
_587._tcp.smtp.example.org. IN TLSA 3 1 1 ...digest...
The client can use "dane-only" rather that "secure" (trust in some
third-party CA) to authenticate the server. It works, but only
for MTA-to-MTA smarthost submission setups. No mainstream MUA
I know of supports DANE (perhaps "mutt" does, I haven't checked,
since my "mutt" client does local submission via sendmail(1)).
--
Viktor. 🇺🇦 Слава Україні!
_______________________________________________
Postfix-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
