Michael Ströder michael at
Thu Jan 15 17:56:21 CET 2015

Frank fiene wrote:
> It was not designed for client authentication.
> But what is the problem for Mailserver to Mailserver authentication in both directions?

Many people do not consider e.g. client certs for authenticating the client to
be necessary for establishing the encrypted channel. Also there's currently
standard defining how the name check should be done for client certs. IMO
client certs could be helpful to fight spam.

> All well administrated mail system have reverse DNS configured, if that
> would be DNSSEC secured, perfect! So reverse DNS, then TLSA/DNSSEC plus
> Certificate validation and everything would be fine for both sides!

Don't mix different things!

If you're after DNSSEC validation of PTR lookups you could implement a local
policy in your DNS resolver like this:
If there's a RRSIG RR for a PTR RR and this does not validate correctly then
consider the PTR RR to be non-existent. Your MTA would then consider the PTR
RR to be not present and apply whatever you've implemented as sender
restriction policy for absent reverse lookup.

Ciao, Michael.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4252 bytes
Desc: S/MIME Cryptographic Signature
URL: <>

More information about the dane-users mailing list