A more quick and dirty option is to configure transport policy "verify" for any
mta-sts destinations (I am doing this in a script).
That doesn´t really check the mx one connects to are enumerated, but at least
the certificate validation part of mta-sts will prevent connections to
arbitrary unauthenticated hosts.
Cheers,
Joachim
-----Ursprüngliche Nachricht-----
Von: Viktor Dukhovni via Postfix-users <postfix-users@postfix.org>
Gesendet: Mittwoch, 24. Mai 2023 14:32
An: postfix-users@postfix.org
Betreff: [pfx] Re: TLS client policy according to domain MTA-STS policy
On Wed, May 24, 2023 at 02:25:38PM +0200, Paul Menzel via Postfix-users wrote:
> Running the *Public Email & DNS Testbed* [1], I was reminded, that we
> have MTA-STS set up, but do not take the MTAT-STS policy of other
> domains into account.
>
> As a solution I found *postfix-mta-sts-resolver* [2], which warns
> about a “RFC violation” [3]:
>
> Do you know of other solutions?
Given how thinly MTA-STS is implemented, the simplest solution is to just route
a few of the major mta-sts domains (gmail.com, outlook.com, and a few others)
to a dedicated smtp(8) transport that uses the mta-sts policy addon, and just
enable DANE for the rest.
We may yet integrate mta-sts support into Postfix some day, but for now you'll
need to compromise in some manner.
--
Viktor.
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an
email to postfix-users-le...@postfix.org
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
