Postfix DANE support for Certificate Usage = 0/1?

Eivind Olsen eivind at
Tue Feb 24 00:33:27 CET 2015

Den 2015-02-24 00:23, skrev Kevin San Diego:
> model. For the types of customers who already have to have public
> CA-cert validated SMTP communications (and associated accept on
> validation success/drop on validation failure policy set up with
> critical partners), the currently deployed field of MTAs which don't
> yet have SMTP client support for DANE at the won't be able to validate
> the TLS session if a DANE EE cert is used in lieu. Given that MX
> records point to a specific host or set of hosts on a per domain
> basis, I presently don't see how an organization could simultaneously
> support both traditional CA-cert validated TLS connections and TLSA
> (mode 2/3) validated TLS connections. Receiving SMTP servers can
> typically only be configured with a single server certificate per
> IP/port binding.

This was the bit that got me really confused as well. If I understand it
correctly, you can still use mode 2/3 on a CA-signed certificate, you're
just telling DANE-capable clients that they're not supposed to validate
the certificate against the PKIX infrastructure. Non-DANE-capable
clients will still do their normal thing when they see the certificate
in their SSL/TLS sessions.

Eivind Olsen

More information about the dane-users mailing list