On Mon, Jan 19, 2015 at 11:33:36AM -0500, James Cloos wrote:
WB> The DANE validator WB> https://dane.sys4.de/smtp/education.lu WB> says: "Unusable TLSA Records". Most likely because it is type 1 not allowed WB> for DANE-SMTP?
There is little reason not to accept the distribution-provided /etc/ssl/certs certificates when sending mail.
Postfix will not use any "distribution provided" Web PKI CAs when doing DANE authentication. In particular it maps usage PKIX-EE(1) to DANE-EE(3).
The postfix config string to do that is:
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
This is not useful. Neither "may" nor "dane" make any use of such certificates, they just slow down smpt(8) process startup.
These are used for "secure", but that's for designated destinations, and should generally be much more selective about which CAs to trust in that context.