Hello, I'm trying to better understand various TLS deployment scenarios when it comes to Postfix. After looking at Postfix TLS readme and various online documentation I think I understand the core principles, but there are still a few items I'm not sure about:
1. SMTP server reachable via multiple TLDs I would like to have the same server reachable via multiple TLDs: smtp.example.com, smtp.example.uk. This is mainly to provide TLD redundancy in case of issues with registrars or registries. With regards to TLS certificates there seem to be several options: A) Multiple certificates: one for each specific domain. B) Single SAN certificate: covers all domains even with different TLDs. I think option B is just as secure and more preferable due to lower overhead when it comes to certificate management. Is this correct? 2. Mail submission When it comes to mail submission by MUAs, the recommended practices seem to be: - Always use implicit TLS for SMTP (port 465) and IMAP (port 993). - Avoid explicit STARTTLS as it is vulnerable to downgrade attacks. - Use public CA-signed TLS certificates as self-signed certificates can generate warnings from MUAs. Is this correct? 3. TLS, DANE, and MTA-STS The recommendation for the best interop seems to be to support all of these feature. Postfix seems to have good support for DANE, but less so for MTA-STS. DANE requires DNSSEC and can use any certificate, i.e. no need for CA. It is more secure than MTA-STS. MTA-STS works without DNSSEC but requires a policy file to be on HTTPS, which in turn requires a web server and a certificate signed by a public CA. Large email providers like Google and Microsoft deploy MTA-STS at scale. Is this correct? 4. Inbound mail relay: other MTAs to my Postfix MTA For DANE and MTA-STS the required policy needs to be specified via DNS and HTTPS but this has nothing to do with Postfix. As long as Postfix supports TLS other MTAs adapt their behavior to the specified policy. Is this correct? Also, since I need a public CA-signed TLS certificate for mail submission, should I reuse the same certificate for mail relay between MTAs via opportunistic TLS or is it better to use a different certificate? 5. Outbound mail relay: from my Postfix MTA to other MTAs Is it possible to have both DANE and MTA-STS configured in Postfix? If yes, how does Postfix decide which one to use when a remote SMTP server supports both? How does Postfix support MTA-STS? Some people mention third party packages like postfix-mta-sts-resolver or postfix-tlspol. What is the recommended method to interop with Google and Microsoft TLS enabled MTAs? Would it be simpler to just create some map and tell Postfix to always enforce TLS for gmail.com domain for example, ignore any policy files they provide and don't bother with TLS-RPT? Thanks. _______________________________________________ Postfix-users mailing list -- [email protected] To unsubscribe send an email to [email protected]
