Conversation

Replying to

and

There are actually a lot of mail servers with DANE support, particularly in the EU. More likely than not there's DANE available for emails to/from *.nl addresses. Maybe Google will give in and admit it's a good thing after Microsoft has finished deploying it as they announced.

Replying to

and

MTA-STS is actually trash... the Gmail domain only has a 1 day max-age too, so if your server doesn't send email to Gmail for a day it loses the MTA-STS enforcement. I'd set it up for outbound if it didn't downgrade DANE security for domains with both. :\

Replying to

and

It doesn't. MTA-STS is designed not to interfere with DANE deployments when the two overlap.

uriports.com

MTA-STS explained

Google announced that they made email more secure by adopting the new MTA-STS internet standard. But what is MTA-STS and how does it improve security?

Replying to

and

I'm talking about the actual implementation that's available for Postfix, not what it's supposed to do in theory.

github.com

MTA-STS Overrides DANE · Issue #67 · Snawoot/postfix-mta-sts-resolver

I don't know of a good domain to generate a test-case for, sadly, so apologies if this isn't true, but from my understanding of the integration flow, it seems like using this in smt...

Replying to

and

I should have said "It shouldn't, when implemented correctly". Are there no other plugins that do this correctly?

Replying to

and

I don't think so. I have it set up for inbound mail i.e. the DNS records + web server serving a policy via an mta-sta subdomain for each domain with mail support. I don't use it for outbound mail because I'm not willing to downgrade DANE security for it due to that issue.

Replying to

and

Far more mail servers have DANE than MTA-STS. The extremely relevant exception to that is Gmail but they only have 1 day max-age which isn't very good as a small mail server only occasionally sending them mail. It would make more sense to just hard-wire Gmail as WebPKI TLS.

Replying to

and

I agree. Microsoft is implementing MTA-STS in the near future too.

techcommunity.microsoft.com

Exchange Online Transport – Email Security Updates

The Exchange Online Transport team don’t just do plumbing, or delivering email with style, oh no. They do it all while ensuring the security of the data they send and receive is second to none. Come...

Replying to

and

They also announced DANE/DNSSEC support: techcommunity.microsoft.com/t5/exchange-te It's not really clear why MTA-STS exists beyond internal Google politics. The issues with middleboxes, etc. holding back adoption of DNSSEC for web browsers, etc. don't impact communication between mail servers.

techcommunity.microsoft.com

Support of DANE and DNSSEC in Office 365 Exchange Online

Microsoft is committed to providing world-class email security solutions and the support for the latest Internet standards in order to provide advanced email protection for our customers. Today we...

Replying to

and

I only implement MTA-STS because it secures inbound mail from Google with a weaker version of WebPKI rather than no authentication at all. It doesn't mean it makes sense. It's Domain Validation without Certificate Transparency so it's trust in DNS with many more trusted parties.

Replying to

and

Even if it did enforce CT, it's an entirely reactive mechanism (monitoring) and hardly anyone actually keeps track of all their certificates in a way that they can tell their own Let's Encrypt certificates from an attacker's Let's Encrypt certificates, etc.

5:37 AM · Jun 13, 2021Twitter Web App