Viktor Dukhovni ietf-dane at
Mon Jan 19 17:46:49 CET 2015

On Mon, Jan 19, 2015 at 11:33:36AM -0500, James Cloos wrote:

> WB> The DANE validator
> WB>
> WB> says: "Unusable TLSA Records". Most likely because it is type 1 not allowed
> WB> for DANE-SMTP?
> There is little reason not to accept the distribution-provided /etc/ssl/certs
> certificates when sending mail.

Postfix will not use any "distribution provided" Web PKI CAs when
doing DANE authentication.  In particular it maps usage PKIX-EE(1)
to DANE-EE(3).

> The postfix config string to do that is:
>   smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt

This is not useful.  Neither "may" nor "dane" make any use of such
certificates, they just slow down smpt(8) process startup.

These are used for "secure", but that's for designated destinations,
and should generally be much more selective about which CAs to
trust in that context.


More information about the dane-users mailing list