Donate
‹ Back
Deploy360 7 April 2017

Postfix 3.2 released

By Kevin Meynell Content and Resource Manager

Postfix version 3.2 was released on 28 February 2017 and implements several changes to its DANE functionality in order to conform with RFCs 7671 and 7672, as well as operational practices

Postfix is a free and open-source mail transfer agent that includes support for the DANE protocol. DANE can address the issue of third-party trust as it allows digital certificates to be put in the DNS and signed with DNSSEC, enabling end users to validate that the correct certificate is being used.

The particularly relevant changes are:

  • The RFC 7671 Digest algorithm agility will no longer be optional. This has been on by default with no observed issues.
  • Support for DANE-TA(2) records with matching types other than Full(0) will no longer be optional. These are widely used, and support has been on by default with no significant issues.
  • Support for PKIX-EE(1) TLSA records (by pretending they were really DANE-EE(3)) will be dropped as out of the 3420 MX hosts surveyed, only one is using these

Viktor Dukhovni has also checked which domains currently support DANE, and discovered more than 103,000 with TLSA records for all their MX hosts.

If you’re interested in how to secure a Postfix mail server with DANE, then you can find step-by-step instructions in our two-part article posted last year.

For more information on DANE, please also see DNSSEC pages.

‹ Back

Related articles

Comments? What Can We Learn From Existing DANE Deployments?
Deploy3607 November 2014

Comments? What Can We Learn From Existing DANE Deployments?

What can we learn from existing deployments of the DANE protocol?  As more people start implementing DANE in their applications,...

Rough Guide to IETF 91: DNSSEC, DANE and DNS Security
Rough Guide to IETF 91: DNSSEC, DANE and DNS Security
Domain Name System (DNS)5 November 2014

Rough Guide to IETF 91: DNSSEC, DANE and DNS Security

IETF 91 will once again be busy for those of us interested in DNSSEC, DANE and DNS security in general. Two...

OpenSSL 1.1.0 released
Deploy3607 September 2016

OpenSSL 1.1.0 released

Catching up on developments from last week, and it's worth mentioning that version 1.1.0 of OpenSSL has been released. As well...

Join the conversation with Internet Society members around the world