What would you like to read about DANE on the test site?
Viktor Dukhovni
ietf-dane at dukhovni.org
Fri Jan 16 19:28:47 CET 2015
On Fri, Jan 16, 2015 at 10:41:27AM +0100, Markus Benning wrote:
[ Postfix-specific topic, if you're not a Postfix user, you can
safely ignore this sub-thread. ]
> > Outgoing TLS trust-level
> > ------------------------
> > 2289 Untrusted
> > 914 Verified
> > 235 Trusted
>
> As far as i understand the docs with tls_security_level=dane it should
> mean:
>
> Verified - DANE okay (or explicit policy map)
> Trusted - CA signed certificate
> Untrusted - unknown CA, selfsigned...
>
> http://www.postfix.org/FORWARD_SECRECY_README.html
There's also "Anonymous". As for DANE, if the destination has TLSA
records, you'll see "Verified" when it works, and "Untrusted" when
it fails.
With the other security levels, you'll sometimes see "Trusted",
when the chain is issued by a trusted CA (if you've configured
any), but either peer checks fail or authentication is not required
("encrypt" or "may").
--
Viktor.
More information about the dane-users
mailing list