James Cloos cloos at
Mon Jan 19 18:36:16 CET 2015

>>>>> "VD" == Viktor Dukhovni <ietf-dane at> writes:

VD> Postfix will not use any "distribution provided" Web PKI CAs when
VD> doing DANE authentication.  In particular it maps usage PKIX-EE(1)
VD> to DANE-EE(3).

Perhaps not, but one still gets Trusted in the logs when sending to
sites like goog where each mx has a ca-signed cert.

VD> This is not useful.  Neither "may" nor "dane" make any use of such
VD> certificates, they just slow down smpt(8) process startup.

Not every destination has tlsa.

VD> These are used for "secure", but that's for designated destinations,
VD> and should generally be much more selective about which CAs to
VD> trust in that context.

It is a step up from Untrusted.

I do, of course, still prefer that all destinations support dane.

But until then....

James Cloos <cloos at>         OpenPGP: 0x997A9F17ED7DAEA6

More information about the dane-users mailing list