Hi Viktor,
Am Montag, dem 25.09.2023 um 17:44 -0400 schrieb Viktor Dukhovni:
On Mon, Sep 25, 2023 at 11:02:53PM +0200, Erwin Hoffmann wrote:
Perhaps qmail simply does not support DANE-TA(2) records (considers them "unusable"), in which case it would presumably treat the domain as though DANE was not deployed.
Though perhaps regrettable, such minimal DANE implementations (that support only DANE-EE(3)) are not unheard of. That's fine, mail should still be delivered...
I've already implemented your advice here. Actually, publishing DANE- TA(2) fingerprints without considering the MTA's cert (as Lutz explained) was not considered in my (as you say correctly: minmal) approach.
In the forthcoming version of s/qmail (note: s/qmail is not qmail), I'll will do FP tests on the entire cert chain, in order to cope with this case.
Thanks to you and Lutz sheding some light on that issue.
Regards. --eh.