Hello, one way to implement MTA-STS in postfix is a server that generate responses that smtp_tls_policy_maps can consume. I evaluate https://github.com/Snawoot/postfix-mta-sts-resolver...
smtp_tls_policy_maps = socketmap:inet:mta-sts-resolver.example:8461:postfix this works, but ... the MTA-STS Policy is also locked up for destinations that may be verified by DANE. So, where is the problem? I could setup a MTA without access to the usual CA trust store data - SMTP via TLS is opportunistic. Also image a destination (mail.de or my domain for example) that could be verified by DANE *and* publish a MTA-STS policy. If an MTA connect to such a destination the smtp_tls_policy_maps setup "overwrite" DANE by returning "secure match=$(MX-List from MTA-STS)" Now the MTA is required to have access to a CA truststore, otherwise the smtp_tls_policy_map result let the MTA not deliver the message. Somehow I feel uncomfortable with such a setup but I've no idea how to avoid that with the current postfix-3.4.5 (beside providing postfix access to a full CA trust store) Andreas
