On Tue, Mar 22, 2022 at 01:41:48PM +0100, Damian wrote: > I am looking for input how to implement a DANE- and MTA-STS-capable > Postfix setup which is able to produce SMTP TLS reports (RFC8460).
The simplest approach is to just manually configure static TLS policies of "secure" with appropriate "match=..." names for a small list of MTA-STS domains (gmail.com, and the like). There are few enough MTA-STS domains. > Apart from that, how would Postfix expose information needed in an SMTP > TLS report? Logs, but presently some of the requisite information may not be logged, in particular whether failure to authenticate the connection was related to DANE or some other policy. > Successful DANE and MTA-STS delivery is both logged as "Verified TLS > connection". How to distinguish them? This information is not presently logged. > Do loglines like "Server certificate not trusted" and "Server > certificate not verified" reveal whether a mail is deferred due to DANE > or MTA-STS (which is implemented by [1] via the "secure" TLS security > level)? If they do, it is not apparent. No. > How does one obtain the effective result type [2] of a delivery attempt? There is no meaningful support for generating TLSRPT messages. -- Viktor.