Hi Viktor, On Sun, Apr 10, 2016 at 20:36:42 +0000, Viktor Dukhovni wrote: > > OK, got it. But this is going to work only for nexthops / relays > > specified as a mail domain (and not as hosts), right? > > Either. For example, DANE works regardless of whether routing is > via MX records or directly to the nexthop as a hostname.
I am not sure that the analogy with DANE is appropriate. DANE has TLSA records for hosts, and not for mail domains (and can of course map securely mail domains to hosts with DNSSEC MX lookups), whereas STS focuses on the policy for mail domains, right? > A domain with no MX records, or a administrator-specified route in > which the nexthop is not subject to MX lookups (a [nexthop.example] in > square brackets with Sendmail and Postfix) is implicitly equivalent > to: > > nexhop.example. IN MX 0 nexthop.example. > > So if a Postfix transport table contains: > > examle.com smtp:example.net > > then we deliver example.com's mail via the MX hosts of example.net > with whatever policy pertains to other mail sent via example.net. > If, on the other hand, the transport table contains: > > examle.org smtp:[smtp.example.name] > > then mail is sent via the smtp.example.name relay, and the TLS > policy is that for "smtp.example.name" as a domain with no MX > records. In the case of STS, I have the feeling that it is important not to mix up mail domains and hostnames. So if you have: examle.org smtp:[example.name] Then "example.name" is a hostname, and the MTA shouldn't lookup the policy for "example.name", because that is actually the policy for the mail domain "example.name". Cheers David _______________________________________________ Uta mailing list [email protected] https://www.ietf.org/mailman/listinfo/uta
