User:Fordprefect/Postfix/DANE
This covers the implementation of DANE in postfix.
Dane
Resource Record
DANE supports several types of records, however not all of them are suitable in postfix. Certificate usage 0 is unsupported, 1 is mapped to 3 and 2 is optional, thus it is recommendet to publish a "3" record. More on Resource Records.
Configuration
Opportunistic DANE is configured this way:
/etc/postfix/main.cf
smtpd_use_tls = yes smtp_dns_support_level = dnssec smtp_tls_security_level = dane
/etc/postfix/master.cf
dane unix - - n - - smtp -o smtp_dns_support_level=dnssec -o smtp_tls_security_level=dane
To use per-domain policies, e.g. opportunistic DANE for example.org and mandatory DANE for example.com, use something like this:
/etc/postfix/main.cf
indexed = ${default_database_type}:${config_directory}/ # Per-destination TLS policy # smtp_tls_policy_maps = ${indexed}tls_policy # default_transport = smtp, but some destinations are special: # transport_maps = ${indexed}transport
transport
example.com dane example.org dane
tls_policy
example.com dane-only
Note: For global mandatory DANE, change
smtp_tls_security_level
to dane-only
. Be aware that this makes postfix tempfail on all delivieres that do not use DANE at all!Full documentation is found here.