I wonder how long it'll be before large companies require DNSSEC (and verify) + TLS for delivering email 2FA codes.
My guess is never, despite the relative ease that those codes can be spied upon.
Conversation
Replying to
Need TLSA records (DANE) in addition to DNSSEC to provide TLS authentication for email.
MTA-STS is a much weaker approach. Requires DNS records and an HTTPS web server which it uses to fetch an mta-sts.txt file similar to dynamic (no preload) HSTS if you only used http:// URLs.
2
9
Replying to
Yes, I was thinking of mentioning TLSA records, but so many people don't even do the few I mentioned. (I have TLSA records deployed for my mail server, but I don't know if my MTA will check and verify the TLSA record?).
2
Replying to
Enabling it for Postfix simply requires setting up unbound as your resolver and then enabling 2 configuration options:
smtp_dns_support_level = dnssec
smtp_tls_security_level = dane
Enables opportunistic dane where it uses it when there are TLSA records and prevents downgrades.
3
2
5
It's easy to set up for both receiving (single DNS record) and sending (2 painless configuration options). You can use havedane.net to test whether you have working DANE verification for sending mail.
MTA-STS is a pain to set up inbound, and outbound is far worse.
1
3
MTA-STS requires you set up a web server for every single domain receiving mail, not just your MX domains, although you do probably also need it for your MX domains since that's where error emails are normally set as originating. We have one MX domain (mail.grapheneos.org),
1
3
but there are a dozen domains able to send email. The important ones are grapheneos.org (what we use for our own accounts), mail.grapheneos.org (errors, etc.), attestation.app (alert emails) and discuss.grapheneos.org (email confirmations, notifications).
1
1
So each one of those needs to have a web server at mta-sts.domain.tld serving /.well-known/mta-sts.txt such as mta-sts.attestation.app/.well-known/mt and each one of them needs an _mta-sts record with an incrementing id for the file. It should really just be DNSSEC + 1 TXT record as a boolean.
1
1
That would also be secure, unlike the mess they created. We don't use outbound MTA-STS verification but rather we hard-wire WebPKI TLS authentication for gmail.com, google.com and other major services manually. MTA-STS is less secure and impractical.
1
1
There's an MTA-STS implementation for Postfix but it downgrades the security of DANE because domains pass if DANE verification fails if they provide valid MTA-STS. It also just won't work well. Look at mta-sts.gmail.com/.well-known/mt. Google invented this and yet they only do 24h...
So if you don't send mail to gmail.com at least once every 24h, it will expire and revert back to the insecure check to see if it can fetch the mta-sts.txt file where it fails open and allows insecure connection without authentication if anything about that fails.
1