On Sat, Jan 31, 2026 at 07:11:47PM -0500, Wietse Venema via Postfix-users wrote:
> dane:may (number, opportunistic dane, fallback to opportunistic TLS)
FWIW, this example is not going to be very common, because DANE is downgrade
resistant. When the configured security level is "dane", but the server
has no TLSA records, the logged policy is simply "may":
Feb 01 11:50:57 amnesiac postfix/smtp[96562]: 220A09355B9:
to=<[email protected]>, relay=spike.porcupine.org[168.100.3.2]:25,
delay=5.4, delays=0.12/0.02/3.7/1.5, tls=may, dsn=2.0.0, status=sent
(250 2.0.0 Ok: queued as 4f3WQ90wZ6zJrNm)
Even with "TLS-Required: no" the logged policy is still simply "may".
Perhaps there's a "RequireTLS" mode which could result in "dane:may",
but I haven't studied that feature closely enough to know whether or how
that might arise.
Even with "unusable" TLSA records that result an effective policy of
"encrypt":
https://github.com/vdukhovni/postfix/blob/11d1e54392f7411e7bc7990115fb5a62aff204f6/postfix/src/smtp/smtp_tls_policy.c?ts=8#L1123-L1124
if (tls_dane_unusable(dane)) {
dane_incompat(tls, iter, DANE_CANTAUTH, "TLSA records unusable");
https://github.com/vdukhovni/postfix/blob/11d1e54392f7411e7bc7990115fb5a62aff204f6/postfix/src/smtp/smtp_tls_policy.c?ts=8#L1016-L1017
if (tls->level == TLS_LEV_DANE) {
tls->level = (errtype == DANE_CANTAUTH) ? TLS_LEV_ENCRYPT : TLS_LEV_MAY;
I still see "may":
; NOERROR qr rd ra ad
youractive.nl. IN MX 10 youractive.nl.
; NOERROR qr rd ra ad
_25._tcp.youractive.nl. IN TLSA 0 0 1
2a4ba9f85f6044e1e08a6aea53eebb3b0e75ddfd6dbf7c041d840883db5cacc4
Feb 01 12:36:53 amnesiac postfix/smtp[98435]: B8E4B9355B9:
to=<[email protected]>, relay=youractive.nl[136.144.163.208]:25,
delay=2.4, delays=0.09/0.01/2/0.32, tls=may, dsn=2.1.5, status=deliverable
(250 2.1.5 Ok)
--
Viktor. 🇺🇦 Слава Україні!
_______________________________________________
Postfix-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
