Deploy360 7 April 2017

Postfix 3.2 released

By Kevin MeynellFormer Senior Manager, Technical and Operational Engagement

Postfix version 3.2 was released on 28 February 2017 and implements several changes to its DANE functionality in order to conform with RFCs 7671 and 7672, as well as operational practices

Postfix is a free and open-source mail transfer agent that includes support for the DANE protocol. DANE can address the issue of third-party trust as it allows digital certificates to be put in the DNS and signed with DNSSEC, enabling end users to validate that the correct certificate is being used.

The particularly relevant changes are:

  • The RFC 7671 Digest algorithm agility will no longer be optional. This has been on by default with no observed issues.
  • Support for DANE-TA(2) records with matching types other than Full(0) will no longer be optional. These are widely used, and support has been on by default with no significant issues.
  • Support for PKIX-EE(1) TLSA records (by pretending they were really DANE-EE(3)) will be dropped as out of the 3420 MX hosts surveyed, only one is using these

Viktor Dukhovni has also checked which domains currently support DANE, and discovered more than 103,000 with TLSA records for all their MX hosts.

If you’re interested in how to secure a Postfix mail server with DANE, then you can find step-by-step instructions in our two-part article posted last year.

For more information on DANE, please also see DNSSEC pages.

Disclaimer: Viewpoints expressed in this post are those of the author and may or may not reflect official Internet Society positions.

Related articles

Improving Technical Security 15 March 2019

DNS Privacy Frequently Asked Questions (FAQ)

We previously posted about how the DNS does not inherently employ any mechanisms to provide confidentiality for DNS transactions,...

Improving Technical Security 14 March 2019

Introduction to DNS Privacy

Almost every time we use an Internet application, it starts with a DNS (Domain Name System) transaction to map...

Improving Technical Security 13 March 2019

IPv6 Security for IPv4 Engineers

It is often argued that IPv4 practices should be forgotten when deploying IPv6, as after all IPv6 is a...