From ArchWiki
Jump to navigation Jump to search

This covers the implementation of DANE in postfix.


Resource Record

DANE supports several types of records, however not all of them are suitable in postfix. Certificate usage 0 is unsupported, 1 is mapped to 3 and 2 is optional, thus it is recommendet to publish a "3" record. More on Resource Records.


Opportunistic DANE is configured this way:

smtpd_use_tls = yes
smtp_dns_support_level = dnssec
smtp_tls_security_level = dane
dane       unix  -       -       n       -       -       smtp
  -o smtp_dns_support_level=dnssec
  -o smtp_tls_security_level=dane

To use per-domain policies, e.g. opportunistic DANE for and mandatory DANE for, use something like this:

indexed = ${default_database_type}:${config_directory}/

# Per-destination TLS policy
smtp_tls_policy_maps = ${indexed}tls_policy

# default_transport = smtp, but some destinations are special:
transport_maps = ${indexed}transport
transport dane dane
tls_policy dane-only
Note: For global mandatory DANE, change smtp_tls_security_level to dane-only. Be aware that this makes postfix tempfail on all delivieres that do not use DANE at all!

Full documentation is found here.