postfix-users May 2014 archive
Main Archive Page > Month Archives  > postfix-users archives
postfix-users: Re: Disabling Anonymous Diffie Hellman

Re: Disabling Anonymous Diffie Hellman

From: Viktor Dukhovni <postfix-users_at_nospam>
Date: Wed May 21 2014 - 16:09:19 GMT

On Wed, May 21, 2014 at 05:44:10PM +0200, David Schweikert wrote:

> > You can use "dane" or "dane-only" per-destination if you like to
> > simplify the configuration management, no matching rules to define.
> > However, I would encourage senders en-masse to enable DANE, and
> > expect receiving systems that publish TLSA records to get it right
> > or fix it promptly. At least unlike the case with an RBL listing,
> > they can do it themselves.
> Still, our customers will likely react much more sensitively to their
> mails being queued (independently of the reason), compared to refusing
> incoming mails from a third party, because of mis-configuration.
> Especially, if they notice only one day later that their mails were
> being queued.

On an outbound MTA I would set something along the lines of:

    delay_warning_time = 2h

> Thanks again for all your answers! I really appreciate it.
> (We are working on adding DANE support to our product, btw.)

Is it an MTA? What library will you be using to handle the DANE-style
certificate chain validation? You can contact me off-list about that.

-- Viktor.