[prev in list] [next in list] [prev in thread] [next in thread] 

List:       postfix-users
Subject:    Re: roundcube maillist
From:       Viktor Dukhovni <postfix-users () dukhovni ! org>
Date:       2020-08-12 6:09:26
Message-ID: 20200812060926.GL40202 () straasha ! imrryr ! org
[Download RAW message or body]

On Wed, Aug 12, 2020 at 07:58:56AM +0200, Benny Pedersen wrote:

> in my own main.cf i added
> 
> smtp_tls_dane_insecure_mx_policy = may

Yes, that will enable you to send mail to the roundcube list.

> Should postfix default be changed to
> 
> smtp_tls_dane_insecure_mx_policy = dane_only

Definitely not.  The dane_only policy is ONLY for business partner
domains where you have a contractual or similar bilateral expectation
that DANE will be supported.

Given "smtp_tls_security_level = dane", the default value "dane" of
smtp_tls_dane_insecure_mx_policya will also enforce DANE for DANE-enabled
MX hosts of unsigned domains.  The "may" work-around disables this,
using unauthenticated opportunistic TLS instead.  You could also use
a less blunt tool, and set a temporary custom "may" TLS policy for
lists.roundcube.net in your smtp_tls_policy_maps.

Another option is to add (and later not forget to remove) what DNS
operators call an NTA (negative trust anchor) for kolabsys.com in
your DNS resolver, marking the domain artificially "insecure".

> lets hope kolapsys.com reads postfix maillists

Or perhaps they'll see my second notice.

-- 
    Viktor.
[prev in list] [next in list] [prev in thread] [next in thread]