[pfx] Re: mta-sts and smtp_tls_security_level

On Sat, Mar 09, 2024 at 07:21:53PM +0100, Joachim Lindenberg via Postfix-users wrote: > I thought almost all cloud providers use anycast these days, > elminating the need to serve different IPs per region. No. That's not the case. Anycast is a useful tool, but isn't the whole story. The respon

[pfx] Re: mta-sts and smtp_tls_security_level

I thought almost all cloud providers use anycast these days, elminating the need to serve different IPs per region. Joachim -Ursprüngliche Nachricht- Von: Viktor Dukhovni via Postfix-users Gesendet: Samstag, 9. März 2024 18:42 An: postfix-users@postfix.org Betreff: [pfx] Re: mta-sts

[pfx] Re: mta-sts and smtp_tls_security_level

On Sat, Mar 09, 2024 at 10:46:17AM +0100, Joachim Lindenberg via Postfix-users wrote: > > Viktor Dukhovni: > > not sufficient market pressure to make it a priority. > Unfortunately yes, not yet. > > various load balancers would need to do online DNSSEC signing > Can you please elaborate why that s

[pfx] Re: mta-sts and smtp_tls_security_level

> Viktor Dukhovni: > not sufficient market pressure to make it a priority. Unfortunately yes, not yet. > various load balancers would need to do online DNSSEC signing Can you please elaborate why that should be required? Thanks, Joachim ___ Postfix-users

[pfx] Re: mta-sts and smtp_tls_security_level

On Fri, Mar 08, 2024 at 11:11:40PM +0100, Joachim Lindenberg via Postfix-users wrote: > But is there any reason that prevents google to use DNSSEC other than > the arrogance of power? My read is that there is not sufficient market pressure to make it a priority. Robust implementation at scale i

[pfx] Re: mta-sts and smtp_tls_security_level

Nachricht- Von: Viktor Dukhovni via Postfix-users Gesendet: Freitag, 8. März 2024 22:44 An: postfix-users@postfix.org Betreff: [pfx] Re: mta-sts and smtp_tls_security_level On Fri, Mar 08, 2024 at 10:01:29PM +0100, Joachim Lindenberg via Postfix-users wrote: > Imho you get pretty close

[pfx] Re: mta-sts and smtp_tls_security_level

On Fri, Mar 08, 2024 at 10:01:29PM +0100, Joachim Lindenberg via Postfix-users wrote: > Imho you get pretty close to mta-sts if you use verify together with a > DNSSEC-validating resolver. You just validate the "authorized" MTAs by > different means. Yes, but google.com and yahoo.com (the domain

[pfx] Re: mta-sts and smtp_tls_security_level

ia Postfix-users Gesendet: Freitag, 8. März 2024 21:35 An: postfix-users@postfix.org; Viktor Dukhovni Betreff: [pfx] Re: mta-sts and smtp_tls_security_level On Fri, Mar 08, 2024 at 03:05:43PM -0500, Viktor Dukhovni via Postfix-users wrote: > On Fri, Mar 08, 2024 at 01:28:00PM -0500, Michael

[pfx] Re: mta-sts and smtp_tls_security_level

On Fri, Mar 08, 2024 at 03:05:43PM -0500, Viktor Dukhovni via Postfix-users wrote: > On Fri, Mar 08, 2024 at 01:28:00PM -0500, Michael W. Lucas via Postfix-users > wrote: > > > Realistically, Gmail and Yahoo do not care about my MTA-STS > > reports. All they care about is that I validate their X

[pfx] Re: mta-sts and smtp_tls_security_level

On Fri, Mar 08, 2024 at 01:28:00PM -0500, Michael W. Lucas via Postfix-users wrote: > Realistically, Gmail and Yahoo do not care about my MTA-STS > reports. All they care about is that I validate their X.509 certs. > > Is there any reason to use something like mta-sts-daemon in that > transport