From ArchWiki
Jump to: navigation, search

This covers the implementation of DANE in postfix.


Resource Record

DANE supports several types of records, however not all of them are suitable in postfix. Certificate usage 0 is unsupported, 1 is mapped to 3 and 2 is optional, thus it is recommendet to publish a "3" record. More on Resource Records.


Opportunistic DANE is configured this way:

smtpd_use_tls = yes
smtp_dns_support_level = dnssec
smtp_tls_security_level = dane
dane       unix  -       -       n       -       -       smtp
  -o smtp_dns_support_level=dnssec
  -o smtp_tls_security_level=dane

To use per-domain policies, e.g. opportunistic DANE for and mandatory DANE for, use something like this:

indexed = ${default_database_type}:${config_directory}/

# Per-destination TLS policy
smtp_tls_policy_maps = ${indexed}tls_policy

# default_transport = smtp, but some destinations are special:
transport_maps = ${indexed}transport
transport dane dane
tls_policy dane-only
Note: For global mandatory DANE, change smtp_tls_security_level to dane-only. Be aware that this makes postfix tempfail on all delivieres that do not use DANE at all!

Full documentation is found here.