From 8f3f2aa57820fa077a13d4e29efe2b97a7d9aa98 Mon Sep 17 00:00:00 2001
From: Dennis Baaten <dennis@baaten.com>
Date: Fri, 12 Apr 2019 22:39:44 +0200
Subject: [PATCH] Updated DANE how to (markdown)

---
 DANE-how-to.md | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/DANE-how-to.md b/DANE-how-to.md
index 3f451df..48e484f 100644
--- a/DANE-how-to.md
+++ b/DANE-how-to.md
@@ -75,11 +75,18 @@ With this information we can create a rollover DNS record for DANE:
 # Implementing DANE for inbound e-mail traffic
 
 ## Configuring Postfix
-Postfix plays an important role in using DANE when available.
+Postfix plays an important role in using DANE for validating the when available.
 
 Make sure the following entries are present in **/etc/postfix/main.cf**
 > smtp_dns_support_level = dnssec  
+
+This setting tells Postfix to perform DNS lookups using DNSSEC. This is an important prerequisite for DANE to be effective, since regular DNS lookups can be manipulated.  
+
 > smtp_tls_security_level = dane  
+
+The "dane" level is a stronger form of opportunistic TLS that is resistant to man in the middle and downgrade attacks when the destination domain uses DNSSEC to publish DANE TLSA records for its MX hosts. If a remote SMTP server has "usable" (see section 3 of RFC 7672) DANE TLSA records, the server connection will be authenticated. When DANE authentication fails, there is no fallback to unauthenticated or plaintext delivery. 
+The Postfix SMTP client supports only certificate usages "2" and "3".
+
 > smtp_host_lookup = dns  
 > smtp_tls_note_starttls_offer = yes  
 > smtpd_tls_CAfile = /path/to/ca-bundle-file.crt