Hello Viktor,
Am 27.04.19 um 23:26 schrieb Viktor Dukhovni: > The socketmap service could check for DANE TLSA records first, and> return > "dane", it would have to check that the domain is DNSSEC> signed, and then > check whether all of (the first 10 by preference> to reduce delay) the MX > hosts have TLSA records. That mean the external application will do the same job as postfix does: determine DANE TLSA records but not validating them, right? Isn't implementing the same job in multiple places what Wietse name "waste of ressources"? :-) > Adding the full trust store is largely harmless, unless your goal > is to "harden" MTA-STS by trusting only the subset of CAs actually > used in practice by "real" MTA-STS domains. sounds reasonable, will think about that... Andreas
