Thanks for the response, will see if it makes sense to at least disable MTA-STS for DANE-enabled domains at https://github.com/Snawoot/postfix-mta-sts-resolver/issues/67.
On 7/4/20 2:10 PM, Viktor Dukhovni wrote: > On Sat, Jul 04, 2020 at 01:54:14PM -0400, Matt Corallo wrote: > >> The only reference google appears to find on this list to MTA-STS indicates >> that folks should use an external MTA-STS >> resolver as a part of smtp_tls_policy_maps (the one by Snawoot on GitHub >> appears to be good). Sadly, I don't believe its >> possible to properly capture the DANE/MTA-STS interaction using >> smtp_tls_policy_maps - specifically, the MTA-STS RFC states: >> >> senders who implement MTA-STS validation MUST NOT allow MTA-STS >> Policy validation to override a failing DANE validation. > > Yes, but for now, with deployment of both rather thin, and the > intersection practically empty, it is OK to accept MTA-STS success even > if perhaps the DANE policy would have failed. Hmm, I'd think nearly every DANE-enabled domain would *also* enable MTA-STS. For example Protonmail has both enabled. >> This doesn't seem possible with smtp_tls_policy_maps - either you >> return that a domain must be secured by TLS Certificate Authorities, >> or you require DANE, but I don't see a way to require both. > > Yes, there is no mechanism to validate both, or to have existence of > TLSA records suppress the MTA-STS resolver policy. Right, so for now the only option is to have the MTA-STS resolver return "dane-only" if it thinks DANE is enabled on all the MXs and hope for the best. >> Did I miss something? Any chance we could get proper MTA-STS support >> built into Postfix? > > Probably not this year. I'll be more motivated when I see Google > supporting DANE outbound. Also at least inbound on mx[1-4].smtp.goog, > which are already signed, thus not publishing the associated TLSA RRs > smacks of negligence to me. Google has always had a hatred of DNSSEC because of the 1024-bit root. Of course that hatred of DNSSEC is a cargo-cult hatred at this point given 1024-bit keys are long, long gone from the root and most TLDs at this point. Still, Outlook/MS should be the big example here - they have MTA-STS set to "testing" today, but presumably that will change, and have committed to DANE next year. Matt
