Postfix DANE support for Certificate Usage = 0/1?

Kevin San Diego ksandiego at
Tue Feb 24 00:54:25 CET 2015

> -----Original Message-----
> From: dane-users-bounces at [mailto:dane-users-bounces at]
> On Behalf Of Eivind Olsen
> Sent: Monday, February 23, 2015 3:33 PM
> To: dane-users at
> Subject: RE: Postfix DANE support for Certificate Usage = 0/1?
> Den 2015-02-24 00:23, skrev Kevin San Diego:
> > model. For the types of customers who already have to have public
> > CA-cert validated SMTP communications (and associated accept on
> > validation success/drop on validation failure policy set up with
> > critical partners), the currently deployed field of MTAs which don't
> > yet have SMTP client support for DANE at the won't be able to validate
> > the TLS session if a DANE EE cert is used in lieu. Given that MX
> > records point to a specific host or set of hosts on a per domain
> > basis, I presently don't see how an organization could simultaneously
> > support both traditional CA-cert validated TLS connections and TLSA
> > (mode 2/3) validated TLS connections. Receiving SMTP servers can
> > typically only be configured with a single server certificate per
> > IP/port binding.
> This was the bit that got me really confused as well. If I understand it
> correctly, you can still use mode 2/3 on a CA-signed certificate, you're
> just telling DANE-capable clients that they're not supposed to validate
> the certificate against the PKIX infrastructure. Non-DANE-capable
> clients will still do their normal thing when they see the certificate
> in their SSL/TLS sessions.

Ah okay, that sounds like the bit of the puzzle I was missing. Time to do some testing!


Kevin San Diego

More information about the dane-users mailing list