I forget why I was prompted to look at MTA-STS. But checking email with MTA-STS in the subject on postfix-users seems to indicate a consensus that it's not that all that useful but google uses it so that they can avoid implementing DNSSEC due to the very large number of MTA servers they support and the need to sign all those generated on the fly DNS responses that load balance among them.
But does MTA-STS actually work in the absense of DNSSEC? If a MITM can forge the DNS MX record why can't they return NXDOMAIN for the same domain when asked for _mta-sts at the same domain? If so the sending host sees no MTA-STS policy, never fetches anything from the web site, and happily delivers mail to the MITM to read and relay. Am I missing something? Is google's use of MTA-STS without DNSSEC at all useful? Also how does MTA-STS not violate the "publicly-referenced SMTP server MUST NOT require .. STARTTLS" in rfc2487 and rfc3207. (Which imho should be fixed to remove that restriction.) Curtis _______________________________________________ Postfix-users mailing list -- [email protected] To unsubscribe send an email to [email protected]
