> On Apr 28, 2022, at 18:58, Michael Ströder via mailop <mailop@mailop.org> > wrote: > > On 4/29/22 00:27, Matt Corallo wrote: >>> On 4/28/22 2:34 PM, Michael Ströder via mailop wrote: >>> I'm really wondering why people have so strong objections against MTA-STS. >>> Actually it's pretty easy to setup and it's the only standard allowing you >>> to specify a mandatory-TLS receiving policy (in opposite to opportunistic). >> DANE also allows you to specify a mandatory TLS receiving policy? > > Which DANE protocol element lets the *receiver* enforce that a sender must > *use* STARTTLS?
You mean the receiving domain and not the receiving MX? Indeed, that’s not doable, but also not something the receiver should be doing? If you opted to have someone else handle your incoming mail, presumably you want them to handle your incoming mail. If *they* set a TLSA and the sender is running stock postfix or exim (with a DNSSEC-supporting recursor) the sender will require TLS for mail delivery (and can even be limited to a specific certificate, bypassing the mess of CAs entirely!). > You could of course configure e.g. postfix to enforce it (dane-only). But > that's a sender configuration per receiver domain. Or you can do opportunistic DANE, the default - if the domain is DNSSEC-signed you either get the TLSA record or you get a proof it doesn’t exist. > Don't get me wrong: I'm not in favour of one over the other. I'm in favour of > leveraging everything which raises the security bar. I still fail to see how MTA-STS “raises the security bar”. Indeed, I admit there are some who are scared of DNSSEC (often for good reason!), but as described in the last mail MYA-STA has the same set of problems as DNSSEC, just limited to your mail. > Of course I understand that it's overall hard work for people providing mail > services to 3rd parties. But IMHO MTA-STS does not add so much to it. It actually adds a ton - most small domain admins with working email via gmail/Microsoft/etc are never going to edit their DNS settings to add MTA-STS. With DANE gmail/Microsoft can opt into security on their behalf. Matt _______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop