On 04/27/2016 01:06 AM, Brandon Vincent wrote: > On Wed, Apr 27, 2016 at 1:04 AM, Alice Wonder <alice at domblogger.net> wrote: >> Not with a smtp that enforces DANE. > > I'm aware of how DANE works. > > The only problem is no MTA outside of Postfix implements it. > > You can thank the hatred of DNSSEC for that. > I never understood the hatred for DNSSEC. When I first read about it, it was like a beautiful epiphany. But DNSSEC adoption is increasing. I keep seeing the green DNSSEC icon in my browser more and more often, when I first started using it was rare. But the point is, other mail servers may not have implemented yet but Postfix has implemented it, and the stock version in RHEL / CentOS is too old. Barely too old, but too old. Thus better security it achieved by running a newer version. Especially since adoption is in fact increasing.