Evaluate MTA-STS
Coincidentally, MTA-STS was brought up on the mailing list postfix-users in the thread MTA-STS when?.
On 02/17/18 21:00, Viktor Dukhovni wrote:
On Feb 17, 2018, at 2:35 PM, Scott Kitterman postfix@kitterman.com wrote:
Here's the current draft:
https://tools.ietf.org/html/draft-ietf-uta-mta-sts-14
Having given it a quick read, I don't know that postfix needs to make any changes for this. I believe it could be readily manged by an external policy server, which is, AIUI, the preferred approach. See:
Unfortunately that will not work. The policy service only applies to inbound mail. One can of course automate periodic SMTP TLS policy updates from the STS URIs of a handful of providers, and let the usual outbound TLS policy take care of the rest:
http://www.postfix.org/TLS_README.html#client_tls_policy
For example (mode: testing, means there's little security from this at present):
$ curl https://mta-sts.gmail.com/.well-known/mta-sts.txt version: STSv1 mode: testing mx: gmail-smtp-in.l.google.com mx: .gmail-smtp-in.l.google.com max_age: 86400
would translate (via a suitable cron job to update the table) into:
tls-policy: gmail.com secure match=gmail-smtp-in.l.google.com:.gmail-smtp-in.l.google.com
assuming one also has something along the lines of:
main.cf: indexed = {default_database_type}:{config_directory}/ smtp_tls_policy_maps = ${indexed}tls-policy smtp_tls_CApath = ... c_rehash'ed directory with usual WebPKI roots ...
and provided one is bold enough to ignore "testing" and just require working TLS authentication.