DANE configuration

• Postfix supports DANE

• In Postfix, certificate usage 0 is unsupported, 1 is mapped to 3, and 2 is optional, thus it is recommended to publish a “3” record.

Configuration

In /etc/postfix/main.cf

smtpd_use_tls = yes
smtp_dns_support_level = dnssec
smtp_tls_security_level = dane

In /etc/postfix/master.cf

dane       unix  -       -       n       -       -       smtp
  -o smtp_dns_support_level=dnssec
  -o smtp_tls_security_level=dane

Multiple domains

To use per-domain policies, for example for opportunistic DANE for domain.org and mandatory DANE for domain.com:

In /etc/postfix/main.cf

indexed = ${default_database_type}:${config_directory}/

# Per-destination TLS policy
#
smtp_tls_policy_maps = ${indexed}tls_policy

# default_transport = smtp, but some destinations are special:
#
transport_maps = ${indexed}transport

In transport:

domain.com dane
domain.org dane

In tls_policy:

domain.com dane-only

Configuration resources

• DANE: Common mistakes

• DANE validator

• Generate TLSA Record online

• RFC6698: The DNS-Based Authentication of Named Entities (DANE) Transport Layer Security (TLS) Protocol: TLSA

• SMTP Security via Opportunistic DNS-Based Authentication of Named Entities (DANE) Transport Layer Security (TLS)