> On Feb 17, 2018, at 2:35 PM, Scott Kitterman <post...@kitterman.com> wrote: > > Here's the current draft: > > https://tools.ietf.org/html/draft-ietf-uta-mta-sts-14 > > Having given it a quick read, I don't know that postfix needs to make any > changes for this. I believe it could be readily manged by an external policy > server, which is, AIUI, the preferred approach. See: > > http://www.postfix.org/SMTPD_POLICY_README.html
Unfortunately that will not work. The policy service only applies to inbound mail. One can of course automate periodic SMTP TLS policy updates from the STS URIs of a handful of providers, and let the usual outbound TLS policy take care of the rest: http://www.postfix.org/TLS_README.html#client_tls_policy For example (mode: testing, means there's little security from this at present): $ curl https://mta-sts.gmail.com/.well-known/mta-sts.txt version: STSv1 mode: testing mx: gmail-smtp-in.l.google.com mx: .gmail-smtp-in.l.google.com max_age: 86400 would translate (via a suitable cron job to update the table) into: tls-policy: gmail.com secure match=gmail-smtp-in.l.google.com:.gmail-smtp-in.l.google.com assuming one also has something along the lines of: main.cf: indexed = ${default_database_type}:${config_directory}/ smtp_tls_policy_maps = ${indexed}tls-policy smtp_tls_CApath = ... c_rehash'ed directory with usual WebPKI roots ... and provided one is bold enough to ignore "testing" and just require working TLS authentication. -- Viktor.
