> On Oct 23, 2018, at 5:05 PM, Jim Fenton <[email protected]> wrote:
>
>> And yet, my preference would have been to not take this approach.
>> Rather each domain that wants to support "REQUIRETLS=YES", would
>> need to implement MTA-STS or DANE. If they already have a signed
>> MX RRset, they could often just add TLSA records and have DANE for
>> little extra effort.
>>
>> The "fly in the ointment" is that many domains are signed, but their
>> MX providers are not, and so they would then have to implement
>> MTA-STS, just to benefit from protection against MX record forgery
>> that they already have by virtue of DNSSEC.
>
> Let's think about that case more. If the mailbox domain is DNSSEC-signed (so
> we got the right MX host), shouldn't it be sufficient for the mail server to
> authenticate itself with a certificate that chains up to a trusted CA? I
> don't see why MTA-STS is needed in this case.
You've missed my point, we're in agreement. What I was saying was
that *without* your proposal to let DNSSEC suffice, in the absence
of DANE for the hosting provider's MX host (if the MX host is in-house
the domain could easily also deploy DANE) a signed domain would then
need MTA-STS, but that's a silly requirement, because it just poorly
adds back what the domain already has, namely protection against MX
forgery.
--
Viktor.
_______________________________________________
Uta mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/uta
