On Tue, Mar 31, 2026 at 08:14:51AM -0400, Curtis Villamizar via Postfix-users
wrote:
> But does MTA-STS actually work in the absense of DNSSEC?
The cynical view would be that this is an effective fig-leaf, that makes
it possible to shirk the work required to support DANE. Less cynically,
one might say that it plausibly works for mail *between* the large
providers that support it, but is brittle otherwise.
> If a MITM
> can forge the DNS MX record why can't they return NXDOMAIN for the
> same domain when asked for _mta-sts at the same domain?
They can, MTA-STS policy discovery is not downgrade-resistant. Once a
policy is cached, it is harder to downgrade, and if refreshed eagerly
and traffic to the destination is regular enogh, perhaps somewhat
effective.
> If so the sending host sees no MTA-STS policy, never fetches anything
> from the web site, and happily delivers mail to the MITM to read and
> relay.
Correct.
> Am I missing something? Is google's use of MTA-STS without DNSSEC at
> all useful?
The policy cache is supposed to facilitate policy continuity, the client
system needs to get many things "right" for this to remain a robust
mechanism across multiple policy "age" limits (often set to just 1 day
by the major players).
> Also how does MTA-STS not violate the "publicly-referenced SMTP server
> MUST NOT require .. STARTTLS" in rfc2487 and rfc3207. (Which imho
> should be fixed to remove that restriction.)
They don't *require* STARTTLS, they also accept mail in the clear.
MTA-STS just asks clients to deliver over authenticated TLS, sort
of like DANE, but without downgrade resistance, and much more
complex deployment model for an MX hosting many domains.
--
Viktor. 🇺🇦 Слава Україні!
_______________________________________________
Postfix-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
