Conversation

Replying to

and

Oh, also, need unbound to provide DNSSEC unless you actually want to use systemd-resolved which has unfortunately been a quite sketchy part of systemd.

Replying to

and

If you sent an email to me via Gmail or G Suite, they'd authenticate our server using a weaker form of WebPKI without CT due to MTA-STS. MTA-STS support is rare though. A major advantage to your own mail server aside from usual self-hosting advantages is inbound/outbound DANE.

Replying to

and

You can actually have DNSSEC by using the alternate set of G Suite addresses: mx1.smtp.goog mx2.smtp.goog mx3.smtp.goog mx4.smtp.goog They don't have TLSA records though, so still no inbound DANE and they don't do outbound DANE either.

Replying to

and

There are actually a lot of mail servers with DANE support, particularly in the EU. More likely than not there's DANE available for emails to/from *.nl addresses. Maybe Google will give in and admit it's a good thing after Microsoft has finished deploying it as they announced.

Replying to

and

MTA-STS is actually trash... the Gmail domain only has a 1 day max-age too, so if your server doesn't send email to Gmail for a day it loses the MTA-STS enforcement. I'd set it up for outbound if it didn't downgrade DANE security for domains with both. :\

Replying to

and

It doesn't. MTA-STS is designed not to interfere with DANE deployments when the two overlap.

uriports.com

MTA-STS explained

Google announced that they made email more secure by adopting the new MTA-STS internet standard. But what is MTA-STS and how does it improve security?

Replying to

and

I'm talking about the actual implementation that's available for Postfix, not what it's supposed to do in theory.

github.com

MTA-STS Overrides DANE · Issue #67 · Snawoot/postfix-mta-sts-resolver

I don't know of a good domain to generate a test-case for, sadly, so apologies if this isn't true, but from my understanding of the integration flow, it seems like using this in smt...

Replying to

and

I should have said "It shouldn't, when implemented correctly". Are there no other plugins that do this correctly?

Replying to

and

I don't think so. I have it set up for inbound mail i.e. the DNS records + web server serving a policy via an mta-sta subdomain for each domain with mail support. I don't use it for outbound mail because I'm not willing to downgrade DANE security for it due to that issue.

Replying to

and

Far more mail servers have DANE than MTA-STS. The extremely relevant exception to that is Gmail but they only have 1 day max-age which isn't very good as a small mail server only occasionally sending them mail. It would make more sense to just hard-wire Gmail as WebPKI TLS.

Replying to

and

Could probably copy their CA pins from Chromium for their web servers since I'm pretty sure they just use the same setup in practice. It would make a whole lot more sense for them to just use DNSSEC and TLSA records. They also have their own TLDs they can and do use...

5:24 AM · Jun 13, 2021Twitter Web App

Replying to

and

There are alternate G Suite domains with DNSSEC: mx1.smtp.goog mx2.smtp.goog mx3.smtp.goog mx4.smtp.goog It's their own TLD, registrar and CA. They could easily use TLSA records with their own intermediate/root. Why don't they? Politics?