I definitely suggest to look into RFC 7672 SMTP-DANE instead of MTA-STS. SMTP-DANE is more secure than MTA-STS, and in my "samples" also more widely adopted than MTA-STS. In my view, MTA-STS is only interesting if you do not want to adopt DNSSEC. Postfix supports DANE out of the box, but you have to use a DNSSEC aware resolver and configure appropriately. Best Regards, Joachim
-----Ursprüngliche Nachricht----- Von: owner-postfix-us...@postfix.org <owner-postfix-us...@postfix.org> Im Auftrag von post...@ptld.com Gesendet: Freitag, 26. August 2022 16:24 An: postfix-users@postfix.org Betreff: Re: MTA-STS implementation > On 08-26-2022 10:08 am, Paul Kingsnorth wrote: > MTA-STS seems to be getting more widespread. I wondered how many people are > using the postfix-mta-sts-resolver from Snawoot, and whether there are any > standout good/bad features of it? Or whether there are any other ways of > implementing MTA-STS with postfix? Wouldn't setting smtpd_tls_security_level=encrypt have the same desired effect of what MTA-STS is trying to solve? Granted you would be preventing other MTA's from delivering if they aren't using STARTTLS. Or is there more going on with MTA-STS then what I understand?
