Hi Viktor, Am Montag, dem 25.09.2023 um 17:44 -0400 schrieb Viktor Dukhovni: > On Mon, Sep 25, 2023 at 11:02:53PM +0200, Erwin Hoffmann wrote: > > > > > Perhaps qmail simply does not support DANE-TA(2) records (considers > them > "unusable"), in which case it would presumably treat the domain as > though DANE was not deployed. > > Though perhaps regrettable, such minimal DANE implementations (that > support only DANE-EE(3)) are not unheard of. That's fine, mail > should > still be delivered...
I've already implemented your advice here. Actually, publishing DANE- TA(2) fingerprints without considering the MTA's cert (as Lutz explained) was not considered in my (as you say correctly: minmal) approach. In the forthcoming version of s/qmail (note: s/qmail is not qmail), I'll will do FP tests on the entire cert chain, in order to cope with this case. Thanks to you and Lutz sheding some light on that issue. Regards. --eh. -- Dr. Erwin Hoffmann | www.fehcom.de PGP key-id: 20FD6E671A94DC1E PGP key-fingerprint: 8C6B 155B 0FDA 64F1 BCCE A6B9 20FD 6E67 1A94 DC1E
signature.asc
Description: This is a digitally signed message part
