Mail Server Hardening: DANE, DNSSEC, TLSA and Secure TLS on FreeBSD
Motivation Running your own mail server goes far beyond simply sending and receiving messages. With the rise of TLS downgrade attacks, spoofing, and SMTP traffic interception, adopting modern standards like DANE, DNSSEC, and TLSA is no longer optional for anyone who takes security seriously. This post documents the hardening process of a mail server running Postfix 3.11 on FreeBSD, all the way to achieving 100% on Internet.nl — with a Hall of Fame entry. ...