Yes, now i got it.

It was not designed for client authentication.
But what is the problem for Mailserver to Mailserver authentication in both directions?

All well administrated mail system have reverse DNS configured, if that would be DNSSEC secured, perfect!
So reverse DNS, then TLSA/DNSSEC plus Certificate validation and everything would be fine for both sides!


But OK.

So I have to test outgoing connections and if I have enabled DANE and DNSSEC and dig gives my an ad flag, my Postfix must tell me if it is Verified or no, even if my DANE isn't running yet, right?

Cheers!
-- 
Frank Fiene
IT-Security Manager VEKA Group

Fon: +49 2526 29-6200
Fax: +49 2526 29-16-6200
mailto: ffiene@veka.com
http://www.veka.com
PGP-ID: 20419C64
PGP-Fingerprint: 93FB 5525 88C0 8F40 E7FD  EAB5 BBB4 435F 2041 9C64

VEKA AG
Dieselstr. 8
48324 Sendenhorst
Deutschland/Germany

Vorstand/Executive Board: Andreas Hartleif (Vorsitzender/CEO),
Dr. Andreas W. Hillebrand, Bonifatius Eichwald, Elke Hartleif, Dr. Werner Schuler,
Vorsitzender des Aufsichtsrates/Chairman of Supervisory Board: Ulrich Weimer
HRB 8282 AG Münster/District Court of Münster

Am 15.01.2015 um 16:48 schrieb Patrick Ben Koetter <p@sys4.de>:

* Frank Fiene <ffiene@veka.com>:
Sorry about the confusion.

In Patricks and Carstens PDF file there are two examples.

I think they describe outgoing connections, right?
There are the keywords „Verified“ and „Untrusted“, so far so good.

But what is about incoming connections?

At the moment it is not possible to DANE verify incoming connections.

Future versions DANE versions may support this. I suggested mutual
authentication when the DANE WG was re-chartered and the WG accepted it:

   http://www.ietf.org/mail-archive/web/dane/current/msg06701.html

p@rick

--
[*] sys4 AG

https://sys4.de, +49 (89) 30 90 46 64
Franziskanerstraße 15, 81669 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein