Re: Dane testing and posttls-finger ???

On Thu, Apr 09, 2015 at 12:09:39PM -0400, John wrote:

My resolv.conf points to google (8.8.8.8, 8.8.4.4 + their ipv6 equivalents).

1. MTAs should run their own caching resolvers, even if they forward to another caching resolver upstream (e.g. 8.8.8.8).

2. If you are doing any RBL lookups, you must not make them via an upstream forwarder (avoid looking up RBLs via 8.8.8.8 and friends).

3. If you want any security from DANE when sending outbound email to remote domains, you MUST use a local 127.0.0.1 resolver that validates DNSSEC record signatures for itself.

If you're not using 'smtp_tls_security_level = dane', then the local resolver is not essential for security, but is still a good idea.