2

The SMTP MTA Strict Transport Security RFC 8461, 2 clearly states that:

However, MTA-STS is designed not to interfere with DANE deployments when the two overlap; in particular, senders who implement MTA-STS validation MUST NOT allow MTA-STS Policy validation to override a failing DANE validation.

Currently it seems that with the following Postfix configuration the MTA-STA overrides DANE (RFC 6698) validation when the recipient has implemented both, as discussed in the mta-sts-daemon's issue #67, and DANE is only used if the domain is explicitly listed in the first matching smtp_tls_policy_maps (/etc/postfix/tls_policy) as dane-only.

# Opportunistic DANE TLS
smtp_tls_security_level = dane
smtp_dns_support_level = dnssec

# MTA-STS
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
smtp_tls_policy_maps =
    hash:/etc/postfix/tls_policy,
    socketmap:inet:127.0.0.1:8461:postfix

Has anyone found a way to configure Postfix in a RFC 8461 compliant way, i.e., that MTA-STS policy validation through mta-sts-daemon cannot change the policy maps for domains that have both technologies enabled? Would this require an additional external "dane-daemon" providing dane-only smtp_tls_policy_maps for domains that have DANE enabled?

Esa Jokinen
  • 46,944
  • 3
  • 83
  • 129
  • 2
    I wonder if the simplest workaround possible - prepending another socketmap that returns dane-only or NOTFOUND depending on a single dns query - would miss any edge cases.. – anx May 22 '22 at 15:47
  • Experts in these technologies usually answer such questions on the Postfix mailing list at postfix-users@postfix.org. – glts May 22 '22 at 16:47
  • 1
    @anx: Good suggestion. Although it is not a single DNS query, but a result of a few, as described in [RFC 7672, 2.2.3](https://datatracker.ietf.org/doc/html/rfc7672#section-2.2.3). But the socketmap service could return `dane-only` if TLSA records for the MX servers are present, which should fix the problem. – Esa Jokinen May 22 '22 at 17:55
  • 1
    @anx: That's why the policy resolver should respond with `dane-only` (instead of `dane`); "Mandatory DANE TLS. This is just like `dane` above, but DANE TLSA authentication is required. There is no fallback to `may` or `encrypt` when TLSA records are missing or unusable." – Esa Jokinen Dec 18 '22 at 08:55
  • @EsaJokinen Indeed. I was wrong; [`dane-only` *does* ensure](https://github.com/vdukhovni/postfix/blob/17f9ea2314a4503c07f1035cfd26771f3fcd0a58/postfix/src/smtp/smtp_tls_policy.c#L789) its documented behaviour to defer instead, even in the "found but none usable" case. – anx Dec 18 '22 at 10:51
  • I added [a comment](https://github.com/Snawoot/postfix-mta-sts-resolver/issues/67#issuecomment-1359686072) to a related issue on GitHub / Snawoot / [postfix-mta-sts-resolver](https://github.com/Snawoot/postfix-mta-sts-resolver/). – Esa Jokinen Dec 20 '22 at 16:34

0 Answers0