On Fri, Mar 08, 2024 at 01:28:00PM -0500, Michael W. Lucas via Postfix-users
wrote:
> Realistically, Gmail and Yahoo do not care about my MTA-STS
> reports. All they care about is that I validate their X.509 certs.
>
> Is there any reason to use something like mta-sts-daemon in that
> transport instead of just setting smtp_tls_security_level=verify ?
Just using verify leaves you more vulnerable to DNS-based MiTM attacks,
because "verify" uses unvalidated MX hostnames as the "reference
identifiers" in certificate matching.
With "mta-sts", you are expected to obtain a trusted copy of the MX host
list via HTTPS (trusting one of various WebPKI CAs to authenticate the
website). The attacker first has to obtain a forged certificate for
"mta-sts.<your-domain>", and then forged certificates for one of the
MX hosts.
If you independently obtain, and periodically recheck, the list of MX
hosts for one or more domains, you can use a TLS policy that lists
those names as the names to check, with either "verify" or "secure",
which are identical once you explicitly specify the match names.
example.com secure match=mx1.example.com:mx2.example.com
--
Viktor.
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
