Mail

DANE / TLSA

Enforce DANE for Outgoing Mail

Postfix

Important

The configured DNS servers (/etc/resolv.conf) must validate DNSSEC. You can verify this by checking if dig brokendnssec.net returns SERVFAIL and dig ch. contains a AD (Authenticated Data) flag.

Note

systemd-resolved:

While DNSSEC validation is supported and validation status is available via D-BUS API, systemd-resolved does not expose validation status via AD flag on the stub resolver at 127.0.0.53.

1. Enforce DANE, edit /etc/postfix/main.cf:

   smtp_dns_support_level = dnssec
   smtp_tls_security_level = dane
   

2. Go to https://havedane.net/ and send mails to the printed test addresses.

3. You should see one mail to @wrong.havedane.net being stuck in the outgoing mail queue because of an invalid certificate:

   $ mailq
   -Queue ID-  --Size-- ----Arrival Time---- -Sender/Recipient-------
   0DC9F14EE0D7     845 Sat Jan  1 20:10:47  sender@arbitrary.ch
                                                 (Server certificate not trusted)
                                            e109ac729550b8f9@wrong.havedane.net
   
   -- 0 Kbytes in 1 Request.
   

See also DANE TLS authentication