Join Log in
Score:2
avatar Server

Is it possible to use MTA-STS in Postfix without overriding DANE?

jp flag
Esa Jokinen

The SMTP MTA Strict Transport Security RFC 8461, 2 clearly states that:

However, MTA-STS is designed not to interfere with DANE deployments when the two overlap; in particular, senders who implement MTA-STS validation MUST NOT allow MTA-STS Policy validation to override a failing DANE validation.

Currently it seems that with the following Postfix configuration the MTA-STA overrides DANE (RFC 6698) validation when the recipient has implemented both, as discussed in the mta-sts-daemon's issue #67, and DANE is only used if the domain is explicitly listed in the first matching smtp_tls_policy_maps (/etc/postfix/tls_policy) as dane-only.

# Opportunistic DANE TLS
smtp_tls_security_level = dane
smtp_dns_support_level = dnssec

# MTA-STS
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
smtp_tls_policy_maps =
    hash:/etc/postfix/tls_policy,
    socketmap:inet:127.0.0.1:8461:postfix

Has anyone found a way to configure Postfix in a RFC 8461 compliant way, i.e., that MTA-STS policy validation through mta-sts-daemon cannot change the policy maps for domains that have both technologies enabled? Would this require an additional external "dane-daemon" providing dane-only smtp_tls_policy_maps for domains that have DANE enabled?

54
0 + 0
jp flag
Esa Jokinen
@anx: That's why the policy resolver should respond with `dane-only` (instead of `dane`); "Mandatory DANE TLS. This is just like `dane` above, but DANE TLSA authentication is required. There is no fallback to `may` or `encrypt` when TLSA records are missing or unusable."
1
Reply
anx avatar
fr flag
anx
@EsaJokinen Indeed. I was wrong; [`dane-only` *does* ensure](https://github.com/vdukhovni/postfix/blob/17f9ea2314a4503c07f1035cfd26771f3fcd0a58/postfix/src/smtp/smtp_tls_policy.c#L789) its documented behaviour to defer instead, even in the "found but none usable" case.
0
Reply
jp flag
Esa Jokinen
I added [a comment](https://github.com/Snawoot/postfix-mta-sts-resolver/issues/67#issuecomment-1359686072) to a related issue on GitHub / Snawoot / [postfix-mta-sts-resolver](https://github.com/Snawoot/postfix-mta-sts-resolver/).
0
Reply
anx avatar
fr flag
anx
I wonder if the simplest workaround possible - prepending another socketmap that returns dane-only or NOTFOUND depending on a single dns query - would miss any edge cases..
2
Reply
us flag
glts
Experts in these technologies usually answer such questions on the Postfix mailing list at [email protected].
0
Reply
jp flag
Esa Jokinen
@anx: Good suggestion. Although it is not a single DNS query, but a result of a few, as described in [RFC 7672, 2.2.3](https://datatracker.ietf.org/doc/html/rfc7672#section-2.2.3). But the socketmap service could return `dane-only` if TLSA records for the MX servers are present, which should fix the problem.
1
Reply
anx avatar
fr flag
anx
One edge case I am thinking of is: *records found but none usable*. Postfix goes to `encrypt` in that case, which would be a downgrade from a potential `secure match=example.com` result from MTA-STS.
1
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.