On Tue, Mar 22, 2022 at 01:41:48PM +0100, Damian wrote:
> I am looking for input how to implement a DANE- and MTA-STS-capable
> Postfix setup which is able to produce SMTP TLS reports (RFC8460).
The simplest approach is to just manually configure static TLS policies
of "secure" with appropriate "match=..." names for a small list of
MTA-STS domains (gmail.com, and the like). There are few enough MTA-STS
domains.
> Apart from that, how would Postfix expose information needed in an SMTP
> TLS report?
Logs, but presently some of the requisite information may not be logged,
in particular whether failure to authenticate the connection was related
to DANE or some other policy.
> Successful DANE and MTA-STS delivery is both logged as "Verified TLS
> connection". How to distinguish them?
This information is not presently logged.
> Do loglines like "Server certificate not trusted" and "Server
> certificate not verified" reveal whether a mail is deferred due to DANE
> or MTA-STS (which is implemented by [1] via the "secure" TLS security
> level)? If they do, it is not apparent.
No.
> How does one obtain the effective result type [2] of a delivery attempt?
There is no meaningful support for generating TLSRPT messages.
--
Viktor.
