> On 24 Aug 2021, at 7:58 pm, Matt Corallo <ps...@mattcorallo.com> wrote:
>
> May be worth mentioning here that, sadly, Postfix does not support MTA-STS
> currently.
>
> The one implementation at
> https://github.com/Snawoot/postfix-mta-sts-resolver/ will reduce security
> rather than increase it as dual-MTA-STS-DANE domains start to appear[1].
> Until then, because MTA-STS is deployed basically just by Microsoft and
> Google, you can accomplish the same result by checking the MX is outlook.com
> or google.com in a tls_policy_maps lookup daemon. By the point MTA-STS
> matters in the slightest, even Microsoft should be enforcing DANE [2] so
> there's probably not use bothering in any case.
>
> [1] https://github.com/Snawoot/postfix-mta-sts-resolver/issues/67
> [2]
> https://www.microsoft.com/en-us/microsoft-365/roadmap?filters=&searchterms=dnssec
MTA-STS is not presently worthy of support. Support is so thin, that
it is far simpler to just enable "secure" delivery to a small handful
of domains (gmail.com primarily), and be done. The policy can be
periodically updated by querying their MTA-STS record out of band.
The actual protocol is rather a kludge, and I am not inclined to write
code to support it.
--
Viktor.
