From 782ad04b105fb130d8d645f26beb4f51cf2933de Mon Sep 17 00:00:00 2001
From: Joshua Tauberer <jt@occams.info>
Date: Thu, 19 Jun 2014 01:58:14 +0000
Subject: [PATCH] use DANE when sending mail: if the recipient MX has a DANE
 TLSA record in DNS then Postfix will necessarily encrypt the mail in
 transport

---
 setup/mail.sh | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/setup/mail.sh b/setup/mail.sh
index 6c4d2da3..c18379d6 100755
--- a/setup/mail.sh
+++ b/setup/mail.sh
@@ -59,9 +59,16 @@ tools/editconf.py /etc/postfix/main.cf \
 	smtpd_tls_key_file=$STORAGE_ROOT/ssl/ssl_private_key.pem \
 	smtpd_tls_received_header=yes
 
-# When connecting to remote SMTP servers, prefer TLS.
+# When connecting to remote SMTP servers, prefer TLS and use DANE if available.
+# Postfix queries for the TLSA record on the destination MX host. If no TLSA records are found,
+# then opportunistic TLS is used. Otherwise the server certificate must match the TLSA records
+# or else the mail bounces. TLSA also requires DNSSEC on the MX host. Postfix doesn't do DNSSEC
+# itself but assumes the system's nameserver does and reports DNSSEC status. Thus this also
+# relies on our local bind9 server being present and smtp_dns_support_level being set to dnssec
+# to use it.
 tools/editconf.py /etc/postfix/main.cf \
-	smtp_tls_security_level=may \
+	smtp_tls_security_level=dane \
+	smtp_dns_support_level=dnssec \
 	smtp_tls_loglevel=2
 
 # Who can send outbound mail?