I am looking for input how to implement a DANE- and MTA-STS-capable
Postfix setup which is able to produce SMTP TLS reports (RFC8460).
Right now I see several obstacles.
There is postfix-mta-sts-resolver [1], and my first reflex was to use it
with smtp_tls_policy_maps as documented, and fall back to DANE via
smtp_tls_security_level = dane
However, this violates RFC8461:
MTA-STS validation MUST NOT allow MTA-STS Policy validation to
override a failing DANE validation
Neither
smtp_tls_policy_maps = static:dane, socketmap:...
nor
smtp_tls_policy_maps = static:dane-only, socketmap:...
solves the problem without introducing another, so it seems to me that
one would need a postfix-mta-sts-and-dane-resolver.
Apart from that, how would Postfix expose information needed in an SMTP
TLS report?
Successful DANE and MTA-STS delivery is both logged as "Verified TLS
connection". How to distinguish them?
Do loglines like "Server certificate not trusted" and "Server
certificate not verified" reveal whether a mail is deferred due to DANE
or MTA-STS (which is implemented by [1] via the "secure" TLS security
level)? If they do, it is not apparent.
How does one obtain the effective result type [2] of a delivery attempt?
How to obtain the effective policy-string [3], especially in a DANE context?
It would be error-prone to fetch a policy out-of-band, as it is not
guaranteed that an out-of-band policy discovery mechanism will receive
the same DNS replies as Postfix did.
Thanks.
[1] https://github.com/Snawoot/postfix-mta-sts-resolver
[2] https://datatracker.ietf.org/doc/html/rfc8460#section-6.6
[3] https://datatracker.ietf.org/doc/html/rfc8460#section-4.4
