Imho you get pretty close to mta-sts if you use verify together with a DNSSEC-validating resolver. You just validate the "authorized" MTAs by different means. I still think SMTP-DANE (RFC 7672) is preferrable. Regards, Joachim
-----Ursprüngliche Nachricht----- Von: Michael W. Lucas via Postfix-users <postfix-users@postfix.org> Gesendet: Freitag, 8. März 2024 21:35 An: postfix-users@postfix.org; Viktor Dukhovni <postfix-us...@dukhovni.org> Betreff: [pfx] Re: mta-sts and smtp_tls_security_level On Fri, Mar 08, 2024 at 03:05:43PM -0500, Viktor Dukhovni via Postfix-users wrote: > On Fri, Mar 08, 2024 at 01:28:00PM -0500, Michael W. Lucas via Postfix-users > wrote: > > > Realistically, Gmail and Yahoo do not care about my MTA-STS reports. > > All they care about is that I validate their X.509 certs. > > > > Is there any reason to use something like mta-sts-daemon in that > > transport instead of just setting smtp_tls_security_level=verify ? > > Just using verify leaves you more vulnerable to DNS-based MiTM > attacks, because "verify" uses unvalidated MX hostnames as the > "reference identifiers" in certificate matching. > > With "mta-sts", you are expected to obtain a trusted copy of the MX > host list via HTTPS (trusting one of various WebPKI CAs to > authenticate the website). The attacker first has to obtain a forged > certificate for "mta-sts.<your-domain>", and then forged certificates > for one of the MX hosts. > > If you independently obtain, and periodically recheck, the list of MX > hosts for one or more domains, you can use a TLS policy that lists > those names as the names to check, with either "verify" or "secure", > which are identical once you explicitly specify the match names. > > example.com secure match=mx1.example.com:mx2.example.com Ah! Very clear, thank you. That's the last thing I need to finish this silly book. ==ml -- Michael W. Lucas https://mwl.io/ author of: Absolute OpenBSD, SSH Mastery, git commit murder, Absolute FreeBSD, Butterfly Stomp Waltz, TLS Mastery, etc... ### New books: DNSSEC Mastery, Letters to ed(1), $ git sync murder ### _______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org _______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org