"VD" == Viktor Dukhovni ietf-dane@dukhovni.org writes:
VD> Postfix will not use any "distribution provided" Web PKI CAs when VD> doing DANE authentication. In particular it maps usage PKIX-EE(1) VD> to DANE-EE(3).
Perhaps not, but one still gets Trusted in the logs when sending to sites like goog where each mx has a ca-signed cert.
VD> This is not useful. Neither "may" nor "dane" make any use of such VD> certificates, they just slow down smpt(8) process startup.
Not every destination has tlsa.
VD> These are used for "secure", but that's for designated destinations, VD> and should generally be much more selective about which CAs to VD> trust in that context.
It is a step up from Untrusted.
I do, of course, still prefer that all destinations support dane.
But until then....
-JimC