Hi Viktor, now I understand ... is there any trick to ignore the smtp_tls_policy_maps if valid TLSA entries from DNSSEC are returned? :-)
JM > On 13 Jun 2020, at 21:05, Viktor Dukhovni <postfix-us...@dukhovni.org> wrote: > >>> If the MTA-STS policy table service overrides DANE policy in the >>> presence of TLSA records for the domain, then it is broken. If however, >>> DANE records are not present, then the MTA-STS service MUST instead >>> return one of ... > > In retrospect my comment doesn't quite apply to the way that MTA-STS is > integrated into Postfix. It is either a NOOP or mapped to "strict", so > the only downgrade risk is DNSSEC -> WebPKI, and while in my view that's > is a downgrade, obtaining unauthorised certs for the target MX is not > going to be a common attack vector for most senders to worry about.
