On Fri, May 14, 2021 at 03:27:07PM +0200, Kaspar Etter wrote:
9. RFC 8461 states explicitly that MTA-STS may not override a failed
DANE validation. As far as I can tell, it isn't specified anywhere
whether DANE may override a failed MTA-STS validation. In my opinion,
this would be desirable because it would allow domain owners to
configure transport security without the support of their email
service provider:
https://explained-from-first-principles.com/email/#coexistence-with-dane
One more thing. This is not entirely surprising, since the DANE spec
came out well before MTA-STS. If Postfix were to officially support
MTA-STS (as opposed to bolted-on external TLS policy tables), then
I'd probably have to implement a more advanced logic for policy
selection, were DANE is used when applicable, else MTA-STS is used
when applicable, ...
It is unlikely I'd implement support for both on the same connection, as
that would make the TLS setup logic rather too complex. The two may
imply different SNI choices, require different APIs for chain
validation, ... so I just don't see much opportunity for realistic
conflict. The client will typically pick just security mechanism to
apply up front, and succeed or fail the connection based on that.
--
Viktor.
_______________________________________________
ietf-smtp mailing list
ietf-smtp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf-smtp