On Sat, Jul 04, 2020 at 01:54:14PM -0400, Matt Corallo wrote:
> The only reference google appears to find on this list to MTA-STS indicates
> that folks should use an external MTA-STS
> resolver as a part of smtp_tls_policy_maps (the one by Snawoot on GitHub
> appears to be good). Sadly, I don't believe its
> possible to properly capture the DANE/MTA-STS interaction using
> smtp_tls_policy_maps - specifically, the MTA-STS RFC states:
>
> senders who implement MTA-STS validation MUST NOT allow MTA-STS
> Policy validation to override a failing DANE validation.
Yes, but for now, with deployment of both rather thin, and the
intersection practically empty, it is OK to accept MTA-STS success even
if perhaps the DANE policy would have failed.
> This doesn't seem possible with smtp_tls_policy_maps - either you
> return that a domain must be secured by TLS Certificate Authorities,
> or you require DANE, but I don't see a way to require both.
Yes, there is no mechanism to validate both, or to have existence of
TLSA records suppress the MTA-STS resolver policy.
> Did I miss something? Any chance we could get proper MTA-STS support
> built into Postfix?
Probably not this year. I'll be more motivated when I see Google
supporting DANE outbound. Also at least inbound on mx[1-4].smtp.goog,
which are already signed, thus not publishing the associated TLSA RRs
smacks of negligence to me.
--
Viktor.
