----- Message from Joachim Lindenberg <postfix-us...@lindenberg.one> ---------
Date: Fri, 26 Aug 2022 17:00:32 +0200
From: Joachim Lindenberg <postfix-us...@lindenberg.one>
Subject: AW: MTA-STS implementation
To: postfix-users@postfix.org
I definitely suggest to look into RFC 7672 SMTP-DANE instead of
MTA-STS. SMTP-DANE is more secure than MTA-STS, and in my "samples"
also more widely adopted than MTA-STS. In my view, MTA-STS is only
interesting if you do not want to adopt DNSSEC.
Postfix supports DANE out of the box, but you have to use a DNSSEC
aware resolver and configure appropriately.
Best Regards, Joachim
-----Ursprüngliche Nachricht-----
Von: owner-postfix-us...@postfix.org
<owner-postfix-us...@postfix.org> Im Auftrag von post...@ptld.com
Gesendet: Freitag, 26. August 2022 16:24
An: postfix-users@postfix.org
Betreff: Re: MTA-STS implementation
On 08-26-2022 10:08 am, Paul Kingsnorth wrote:
MTA-STS seems to be getting more widespread. I wondered how many
people are using the postfix-mta-sts-resolver from Snawoot, and
whether there are any standout good/bad features of it? Or whether
there are any other ways of implementing MTA-STS with postfix?
Wouldn't setting smtpd_tls_security_level=encrypt have the same
desired effect of what MTA-STS is trying to solve?
Granted you would be preventing other MTA's from delivering if they
aren't using STARTTLS.
Or is there more going on with MTA-STS then what I understand?
----- End message from Joachim Lindenberg <postfix-us...@lindenberg.one> -----
Wouldn't setting smtpd_tls_security_level=encrypt have the same
desired effect of what MTA-STS is trying to solve?
Quick comment on the above point: Setting up MTA-STS in DNS to allow
for MTA-STS validation on your domain does not result in you not being
able to receive non-encrypted inbound email, so it is not the same as
setting smtpd_tls_security_level=encrypt (which according to postfix
documentation is not recommended on publicly facing SMTP servers).
MTA-STS has been getting traction... Google appear to be going all-in,
although noting from my reading on the subject that as above DANE
appears to be superior, e.g. [1] from Viktor.
I'm in the process of adding the DNS settings and required 'bits' to
allow *inbound* MTA-STS validation on my primary email domain to make
it available to e.g. Google; currently it's in 'testing' mode. However
based on my reading I'm not changing Postfix to alter my outbound mail
process, which is based around:
smtp_tls_security_level = dane
smtp_dns_support_level = dnssec
It appears, again from my reading and I am sure others with better
knowledge will add more, that currently setting postfix to use
'outbound' MTA-STS validation means emails being sent to domains that
have validation of both DANE and MTA-STS (like mine) may end up with
the sending server using MTA-STS and overriding a failing DANE
validation, which is not what the RFC [2] requires: "senders who
implement MTA-STS validation MUST NOT allow MTA-STS Policy validation
to override a failing DANE validation". See discussion at [3].
So for now, for my very low volume personal domain/server, I'm working
to offer TLS validation inbound for DANE and MTA-STS but am not
changing Postfix config from DANE/DNSSEC, thus retaining DANE only for
outbound.
If that is not a recommended approach I'd be very welcoming of other
suggestions BTW...
Simon
[1] https://www.isi.edu/~hardaker/news/2021-09-20-DANE-vs-STS.html
[2] https://datatracker.ietf.org/doc/html/rfc8461#section-2
[3]
https://serverfault.com/questions/1101533/is-it-possible-to-use-mta-sts-in-postfix-without-overriding-dane
--
Simon Wilson
M: 0400 12 11 16
