The only reference google appears to find on this list to MTA-STS indicates that folks should use an external MTA-STS resolver as a part of smtp_tls_policy_maps (the one by Snawoot on GitHub appears to be good). Sadly, I don't believe its possible to properly capture the DANE/MTA-STS interaction using smtp_tls_policy_maps - specifically, the MTA-STS RFC states:
senders who implement MTA-STS validation MUST NOT allow MTA-STS Policy validation to override a failing DANE validation. I read this to imply that a domain with both MTA-STS and DANE must both match the DANE certificate fingerprint *and* have a certificate which is validated by a Certificate Authority for the correct hostname(s) per MTA-STS. This doesn't seem possible with smtp_tls_policy_maps - either you return that a domain must be secured by TLS Certificate Authorities, or you require DANE, but I don't see a way to require both. While you could simply use DANE for such domains as its strictly more secure given Certificate Authority policies, having your MTA-STS resolver calculate DANE policy seems strange, especially when it would have to match Postfix's DANE policy exactly (and avoid any DNS TTL issues whereby the MTA-STS resolver gets a different response than Postfix). Did I miss something? Any chance we could get proper MTA-STS support built into Postfix? Thanks, Matt
