If you sent an email to me via Gmail or G Suite, they'd authenticate our server using a weaker form of WebPKI without CT due to MTA-STS. MTA-STS support is rare though.
A major advantage to your own mail server aside from usual self-hosting advantages is inbound/outbound DANE.
Conversation
You can actually have DNSSEC by using the alternate set of G Suite addresses:
mx1.smtp.goog
mx2.smtp.goog
mx3.smtp.goog
mx4.smtp.goog
They don't have TLSA records though, so still no inbound DANE and they don't do outbound DANE either.
1
2
There are actually a lot of mail servers with DANE support, particularly in the EU. More likely than not there's DANE available for emails to/from *.nl addresses.
Maybe Google will give in and admit it's a good thing after Microsoft has finished deploying it as they announced.
1
1
MTA-STS is actually trash... the Gmail domain only has a 1 day max-age too, so if your server doesn't send email to Gmail for a day it loses the MTA-STS enforcement. I'd set it up for outbound if it didn't downgrade DANE security for domains with both. :\
1
It doesn't. MTA-STS is designed not to interfere with DANE deployments when the two overlap.
1
I'm talking about the actual implementation that's available for Postfix, not what it's supposed to do in theory.
2
1
I should have said "It shouldn't, when implemented correctly". Are there no other plugins that do this correctly?
1
I don't think so. I have it set up for inbound mail i.e. the DNS records + web server serving a policy via an mta-sta subdomain for each domain with mail support. I don't use it for outbound mail because I'm not willing to downgrade DANE security for it due to that issue.
1
Far more mail servers have DANE than MTA-STS. The extremely relevant exception to that is Gmail but they only have 1 day max-age which isn't very good as a small mail server only occasionally sending them mail.
It would make more sense to just hard-wire Gmail as WebPKI TLS.
2
I agree. Microsoft is implementing MTA-STS in the near future too.
1
1
They also announced DANE/DNSSEC support:
techcommunity.microsoft.com/t5/exchange-te
It's not really clear why MTA-STS exists beyond internal Google politics. The issues with middleboxes, etc. holding back adoption of DNSSEC for web browsers, etc. don't impact communication between mail servers.
I only implement MTA-STS because it secures inbound mail from Google with a weaker version of WebPKI rather than no authentication at all. It doesn't mean it makes sense. It's Domain Validation without Certificate Transparency so it's trust in DNS with many more trusted parties.
2
1
Even if it did enforce CT, it's an entirely reactive mechanism (monitoring) and hardly anyone actually keeps track of all their certificates in a way that they can tell their own Let's Encrypt certificates from an attacker's Let's Encrypt certificates, etc.
Show additional replies, including those that may contain offensive content
Show