Dear list,
I'm currently implementing a mail-service according to (very) high
standards of German BSI Specification "BSI TR-03108 Secure
Email-Transport, Version 2.0" see
https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/TechnischeRichtlinien/TR03108/TR03108.pdf?__blob=publicationFile&v=3
I already did about 90% of the long way and have DNSSEC + DANE TLSA
in/outgoing and all that standard-stuff like MTA-STS, DKIM, DMARC
incoming and outgoing reporting in place.
The very thorough email-test at https://internet.nl gives a perfect
100/100 for that domain.
Now I'm missing one piece: TLS Reporting to senders like a few big
players like gmail send us when we publish something like
smtp._tls TXT "v=TLSRPTv1; rua=mailto:tls-repo...@mydomain.de";
in our shiny DNSSEC signed zone.
Has anyone a hint how this could be done with postfix and perhaps
additional tools ?
I know it can't be a milter and in postfix-users mailinglist Viktor
Dukhovni himself stated at least in 2022 that there is no support in
postfix for TLS reporting (RFC8460) and that even all postfix logging is
not sufficient to generate conforming TLS Reports from logs.
Bye
--
Ralf Schenk
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
