enable_dane
Since: Version 2023.11.28-b5252a41
The functionality described in this outlined box requires version 2023.11.28-b5252a41 of KumoMTA, or a more recent version.
When set to true
(the default is false
), then TLSA
records will be
resolved securely to determine the destination site policy for TLS according
to DANE.
If TLSA records are available, then the effective value of enable_tls
will
be treated as though it were set to "Required"
and the OpenSSL DANE implementation
will be used to verify the server certificate against the TLSA records found
in DNS.
Use of DANE also requires functioning DNSSEC in your DNS resolver; you
will need to configure the libunbound
resolver to successfully use DANE:
kumo.on('init', function()
kumo.dns.configure_unbound_resolver {
options = {
-- Enable DNSSEC
validate = true,
},
-- By default, if you omit `name_servers`, unbound will
-- resolve via the root resolvers.
-- We strongly recommend deploying local caching nameservers
-- and referencing them here:
-- name_servers = { '1.1.1.1:53' },
}
end)
The following nine settings control the timeouts waiting for responses to various SMTP commands.
The value is specified as a integer in seconds, or as a string using syntax
like "2min"
for a two minute duration.