On 8/18/21 21:44, raf wrote:
They are into MTA-STS instead, as a way to prevent
downgrade attacks against mail servers.
SMTP MTA Strict Transport Security (MTA-STS)
https://tools.ietf.org/html/rfc8461 (Proposed Standard)
But that's all it does (assuming other mail servers are
paying attention to it - Google's and Microsoft's do).
May be worth mentioning here that, sadly, Postfix does not support MTA-STS
currently.
The one implementation at https://github.com/Snawoot/postfix-mta-sts-resolver/ will reduce security rather than increase
it as dual-MTA-STS-DANE domains start to appear[1]. Until then, because MTA-STS is deployed basically just by Microsoft
and Google, you can accomplish the same result by checking the MX is outlook.com or google.com in a tls_policy_maps
lookup daemon. By the point MTA-STS matters in the slightest, even Microsoft should be enforcing DANE [2] so there's
probably not use bothering in any case.
[1] https://github.com/Snawoot/postfix-mta-sts-resolver/issues/67
[2]
https://www.microsoft.com/en-us/microsoft-365/roadmap?filters=&searchterms=dnssec
Matt
