Hello, list.

It is common knowledge that TLS for server-server SMTP is merely opportunistic
and there is no strong guarantee it will be used. Even worse, in many cases 
MTAs lack any protection against active attacks (e.g. via MitM involving
downgrade to plaintext or DNS poisoning to spoof MX records).

There is a new SMTP extension called REQUIRETLS (RFC 8689[2]) that can help 
this by providing clients with a way to require TLS use with authenticated MX 
records for security-sensitive messages.

I would like to start a discussion on how this extension can be useful for 
postfix users and whether there is a possibility of getting its support.

Here are some thoughts from the chasquid developer[3]
> ... this RFC introduces significant
>interoperability risks, because any MTA that doesn't support REQUIRETLS
>(which also requires the target domain to implement MTA-STS or DNSSEC,
>both fairly uncommon) will cause the mail to be rejected, which is quite
>strong and can easily cause usability problems.
>
>And this is not that trivial to implement, since it has implications for
>DSNs, aliases expansion, etc. It's more intrusive than it might seem. 

[1]: https://www.rfc-editor.org/rfc/rfc7435.html
[2]: https://www.rfc-editor.org/rfc/rfc8689.html
[3]: https://groups.google.com/forum/#!topic/chasquid/1boTw1rvU8g

Cheers,
Max Mazurov

Reply via email to