Postfix version 3.2 was released on 28 February 2017 and implements several changes to its DANE functionality in order to conform with RFCs 7671 and 7672, as well as operational practices
Postfix is a free and open-source mail transfer agent that includes support for the DANE protocol. DANE can address the issue of third-party trust as it allows digital certificates to be put in the DNS and signed with DNSSEC, enabling end users to validate that the correct certificate is being used.
The particularly relevant changes are:
- The RFC 7671 Digest algorithm agility will no longer be optional. This has been on by default with no observed issues.
- Support for DANE-TA(2) records with matching types other than Full(0) will no longer be optional. These are widely used, and support has been on by default with no significant issues.
- Support for PKIX-EE(1) TLSA records (by pretending they were really DANE-EE(3)) will be dropped as out of the 3420 MX hosts surveyed, only one is using these
Viktor Dukhovni has also checked which domains currently support DANE, and discovered more than 103,000 with TLSA records for all their MX hosts.
If you’re interested in how to secure a Postfix mail server with DANE, then you can find step-by-step instructions in our two-part article posted last year.
For more information on DANE, please also see DNSSEC pages.