Yes, now i got it.
It was not designed for client authentication.
But what is the problem for Mailserver to Mailserver authentication in both directions?
All well administrated mail system have reverse DNS configured, if that would be DNSSEC secured, perfect!
So reverse DNS, then TLSA/DNSSEC plus Certificate validation and everything would be fine for both sides!
But OK.
So I have to test outgoing connections and if I have enabled DANE and DNSSEC and dig gives my an ad flag, my Postfix must tell me if it is Verified or no, even if my DANE isn't running yet, right?
Cheers!
--
Frank Fiene
IT-Security Manager VEKA Group
Fon: +49 2526 29-6200
Fax: +49 2526 29-16-6200
PGP-ID: 20419C64
PGP-Fingerprint: 93FB 5525 88C0 8F40 E7FD EAB5 BBB4 435F 2041 9C64
VEKA AG
Dieselstr. 8
48324 Sendenhorst
Deutschland/Germany
Vorstand/Executive Board: Andreas Hartleif (Vorsitzender/CEO),
Dr. Andreas W. Hillebrand, Bonifatius Eichwald, Elke Hartleif, Dr. Werner Schuler,
Vorsitzender des Aufsichtsrates/Chairman of Supervisory Board: Ulrich Weimer
HRB 8282 AG Münster/District Court of Münster
Am 15.01.2015 um 16:48 schrieb Patrick Ben Koetter <
p@sys4.de>:
* Frank Fiene <ffiene@veka.com>:Sorry about the confusion.
In Patricks and Carstens PDF file there are two examples.
I think they describe outgoing connections, right?
There are the keywords „Verified“ and „Untrusted“, so far so good.
But what is about incoming connections?
At the moment it is not possible to DANE verify incoming connections.Future versions DANE versions may support this. I suggested mutualauthentication when the DANE WG was re-chartered and the WG accepted it: http://www.ietf.org/mail-archive/web/dane/current/msg06701.htmlp@rick-- [*] sys4 AGhttps://sys4.de, +49 (89) 30 90 46 64Franziskanerstraße 15, 81669 MünchenSitz der Gesellschaft: München, Amtsgericht München: HRB 199263Vorstand: Patrick Ben Koetter, Marc SchiffbauerAufsichtsratsvorsitzender: Florian Kirstein