On Sat, Mar 28, 2026 at 08:32:56AM +0000, Sad Clouds via Postfix-users wrote:
> 1. SMTP server reachable via multiple TLDs
>
> I would like to have the same server reachable via multiple TLDs:
> smtp.example.com, smtp.example.uk. This is mainly to provide TLD
> redundancy in case of issues with registrars or registries.
A rose by any other name... but perhaps you have less frivolous problems
to worry about. There's not much point in mixing TLDs unrelated to any
of the recipient domains served the MX host(s). If anything that just
makes your system more fragile.
> With regards to TLS certificates there seem to be several options:
> A) Multiple certificates: one for each specific domain.
> B) Single SAN certificate: covers all domains even with different TLDs.
Keep simple, with just one name per MX host. If you need actual
resilience deploy multiple MX hosts, not one under multiple names.
> 2. Mail submission
>
> When it comes to mail submission by MUAs, the recommended practices
> seem to be:
> - Always use implicit TLS for SMTP (port 465) and IMAP (port 993).
Yes on the latter. As for 465 vs. 587, whatever is simplest for your
users, often both. STARTTLS is not a problem you really need to be
concerned about.
> - Avoid explicit STARTTLS as it is vulnerable to downgrade attacks.
No, not more so than implicit TLS if the client is not configured to
authenticate the server.
> - Use public CA-signed TLS certificates as self-signed certificates can
> generate warnings from MUAs.
Yes, for the submission port, if you need to support a diverse set of
clients that aren't easily configured for key pinning, and/or you don't
want to deal with changing pinned keys should that some day be needed.
> Is this correct?
Somewhat, but really take a deep breath and don't obsess about all the
security advice you see. Much of it tackles problems of no practical
relevance, and can be counterproductive.
> 3. TLS, DANE, and MTA-STS
>
> The recommendation for the best interop seems to be to support all of
> these feature. Postfix seems to have good support for DANE, but less so
> for MTA-STS.
On the server end there's no difference, you just deploy appropriate
certificates. Though supporting both means your certificate may change
a bit more often, so you might want to arrange for key reuse on renewal.
On the client end indeed DANE support is better, provided you have a
local validating resolver installed on the MTA (say unbound, BIND or
Knot).
> DANE requires DNSSEC and can use any certificate, i.e. no need for CA.
> It is more secure than MTA-STS.
DANE on the receiving end needs a DNSSEC-signed domain, but on the
client end, just a validating resolver.
> MTA-STS works without DNSSEC but requires a policy file to be on
> HTTPS, which in turn requires a web server and a certificate signed by
> a public CA. Large email providers like Google and Microsoft deploy
> MTA-STS at scale.
Microsoft also deploys DANE for many (more than 13k) hosted domains,
inclduding hotmail.cz, for example. But outlook.com is not yet
signed.
> 4. Inbound mail relay: other MTAs to my Postfix MTA
>
> For DANE and MTA-STS the required policy needs to be specified via
> DNS and HTTPS but this has nothing to do with Postfix. As long as
> Postfix supports TLS other MTAs adapt their behavior to the specified
> policy. Is this correct?
I recommend not rushing into this. You're still learning and piling on
complexity from the get go is often unwise. Deploy these once you've
gained more experience.
You MUST implement *monitoring* of any security mechanisms *before*
you deploy that mechanism in production. Unmonitored security is
an oxymoron.
If you don't learn in a very timely manner that your DANE or MTA-STS
policy is broken, you start losing mail and may learn about the problem
for some days or weeks.
> Also, since I need a public CA-signed TLS certificate for mail
> submission, should I reuse the same certificate for mail relay between
> MTAs via opportunistic TLS or is it better to use a different
> certificate?
You have no choice once you've decided to support both.
> 5. Outbound mail relay: from my Postfix MTA to other MTAs
>
> Is it possible to have both DANE and MTA-STS configured in Postfix? If
> yes, how does Postfix decide which one to use when a remote SMTP server
> supports both?
Yes, with one of the actively maintained MTA-STS tls policy lookup
plugins. But again, I would not rush into this quite so early in
your journey into running an email server.
> How does Postfix support MTA-STS? Some people mention third party
> packages like postfix-mta-sts-resolver or postfix-tlspol.
Yes, those, especially if they support recent Postfix changes
to make MTA-STS handling a bit more robust. See the docs.
> What is the recommended method to interop with Google and Microsoft
> TLS enabled MTAs? Would it be simpler to just create some map and tell
> Postfix to always enforce TLS for gmail.com domain for example, ignore
> any policy files they provide and don't bother with TLS-RPT?
Enable opportunistic TLS (security level "may") and operate a server
for at least some months to a year or two, and then after reading
the list for a while, and coming to understand the docs without
having to ask lots of questions, consider doing more.
--
Viktor. 🇺🇦 Слава Україні!
_______________________________________________
Postfix-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
