On 01/08/2019 02:35 PM, Viktor Dukhovni wrote:
That's OK, you have working DANE, you mostly don't need MTA-STS.
Wait a minute.Maybe it's the "mostly" qualifier there, but I thought first S was one of the critical parts of MTA-STS (or HSTS for that matter).
Where by the "Strict" meas that "Transport Security" *MUST* be used. As in *NEVER* send email *WITHOUT* transport security. Further, treat any situation where you could send email without transport security as an error.
MTA-STS is is aimed at receiving domains that face obstacles signing their *own* domain.
I view the signal that transport security *MUST* /strictly/ be used as distinctly different than things like DANE. (Perhaps I'm misremembering DANE.)
I'm not aware of anything else that provides the signal that MTA-STS provides.
There's little excuse for not being able to do DNSSEC validation,
Agreed. I also think there is little reason for not signing your own zones.
if a sending system is at all serious about outbound SMTP security, it'll do both MTA-STS and DANE.
Agreed. -- Grant. . . . unix || die
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Uta mailing list [email protected] https://www.ietf.org/mailman/listinfo/uta
