Frank fiene ffiene at
Thu Jan 15 17:39:09 CET 2015

Yes, now i got it.

It was not designed for client authentication.
But what is the problem for Mailserver to Mailserver authentication in both directions?

All well administrated mail system have reverse DNS configured, if that would be DNSSEC secured, perfect!
So reverse DNS, then TLSA/DNSSEC plus Certificate validation and everything would be fine for both sides!

But OK.

So I have to test outgoing connections and if I have enabled DANE and DNSSEC and dig gives my an ad flag, my Postfix must tell me if it is Verified or no, even if my DANE isn't running yet, right?

Frank Fiene
IT-Security Manager VEKA Group

Fon: +49 2526 29-6200
Fax: +49 2526 29-16-6200
mailto: ffiene at
PGP-ID: 20419C64
PGP-Fingerprint: 93FB 5525 88C0 8F40 E7FD  EAB5 BBB4 435F 2041 9C64

Dieselstr. 8
48324 Sendenhorst

Vorstand/Executive Board: Andreas Hartleif (Vorsitzender/CEO),
Dr. Andreas W. Hillebrand, Bonifatius Eichwald, Elke Hartleif, Dr. Werner Schuler,
Vorsitzender des Aufsichtsrates/Chairman of Supervisory Board: Ulrich Weimer
HRB 8282 AG Münster/District Court of Münster

> Am 15.01.2015 um 16:48 schrieb Patrick Ben Koetter <p at>:
> * Frank Fiene <ffiene at>:
>> Sorry about the confusion.
>> In Patricks and Carstens PDF file there are two examples.
>> I think they describe outgoing connections, right?
>> There are the keywords „Verified“ and „Untrusted“, so far so good.
>> But what is about incoming connections?
> At the moment it is not possible to DANE verify incoming connections.
> Future versions DANE versions may support this. I suggested mutual
> authentication when the DANE WG was re-chartered and the WG accepted it:
> p at rick
> -- 
> [*] sys4 AG
>, +49 (89) 30 90 46 64
> Franziskanerstraße 15, 81669 München
> Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
> Vorstand: Patrick Ben Koetter, Marc Schiffbauer
> Aufsichtsratsvorsitzender: Florian Kirstein
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the dane-users mailing list