It's a huge pain to set up compared to other things. A lot of the defaults are pretty bad. I have some of our configurations published but not the Postfix and Dovecot ones because that's a mess. Most of the work is Postfix configuration.
Conversation
This is the only particularly aggressive configuration for anti-spam (reject mail with DKIM failures from key not found):
github.com/GrapheneOS/mai
I don't find rejecting mail without TLS to really ever cause any issues, but I guess normal people would consider that aggressive.
1
Oh, also, need unbound to provide DNSSEC unless you actually want to use systemd-resolved which has unfortunately been a quite sketchy part of systemd.
1
If you sent an email to me via Gmail or G Suite, they'd authenticate our server using a weaker form of WebPKI without CT due to MTA-STS. MTA-STS support is rare though.
A major advantage to your own mail server aside from usual self-hosting advantages is inbound/outbound DANE.
1
1
You can actually have DNSSEC by using the alternate set of G Suite addresses:
mx1.smtp.goog
mx2.smtp.goog
mx3.smtp.goog
mx4.smtp.goog
They don't have TLSA records though, so still no inbound DANE and they don't do outbound DANE either.
1
2
There are actually a lot of mail servers with DANE support, particularly in the EU. More likely than not there's DANE available for emails to/from *.nl addresses.
Maybe Google will give in and admit it's a good thing after Microsoft has finished deploying it as they announced.
1
1
MTA-STS is actually trash... the Gmail domain only has a 1 day max-age too, so if your server doesn't send email to Gmail for a day it loses the MTA-STS enforcement. I'd set it up for outbound if it didn't downgrade DANE security for domains with both. :\
1
It doesn't. MTA-STS is designed not to interfere with DANE deployments when the two overlap.
1
I'm talking about the actual implementation that's available for Postfix, not what it's supposed to do in theory.
2
1
I should have said "It shouldn't, when implemented correctly". Are there no other plugins that do this correctly?
1
I don't think so. I have it set up for inbound mail i.e. the DNS records + web server serving a policy via an mta-sta subdomain for each domain with mail support. I don't use it for outbound mail because I'm not willing to downgrade DANE security for it due to that issue.
Far more mail servers have DANE than MTA-STS. The extremely relevant exception to that is Gmail but they only have 1 day max-age which isn't very good as a small mail server only occasionally sending them mail.
It would make more sense to just hard-wire Gmail as WebPKI TLS.
2
Could probably copy their CA pins from Chromium for their web servers since I'm pretty sure they just use the same setup in practice. It would make a whole lot more sense for them to just use DNSSEC and TLSA records.
They also have their own TLDs they can and do use...
1
Show replies