> On Aug 16, 2019, at 1:29 AM, Viktor Dukhovni <postfix-us...@dukhovni.org>
> wrote:
>
> enable DANE outbound:
>
> http://www.postfix.org/TLS_README.html#client_tls_dane
>
> main.cf:
> smtp_dns_support_level = dnssec
> smtp_tls_security_level = dane
>
> /etc/resolv.conf
> # A validating *local* resolver
> nameserver 127.0.0.1
I got an off-list suggestion to stress the importance of the
validating resolver being *local* to the Postfix server. In
addition to improved performance when the DNS cache is local,
this avoids potential MiTM attacks that "forge" the AD bit or
data of a DNS response.
The Postfix DANE code fully trusts answers from the configured
resolvers, and only provides meaningful resistance to active
attacks when traffic between the validating resolver and Postfix
is not vulnerable to modification in transit.
And with distant validating resolvers you have no control over
the timing and reliability of potential changes in their validation
logic. For example, 8.8.8.8 and 8.8.4.4 returned incorrect AD
bits for some domains for a few days this past week (now believed
resolved).
Bottom line, only trust local resolvers you deploy, configure
*correctly* and test.
--
Viktor.
