MTA-STS support

[ArchangeGabriel]

See e.g. https://www.hardenize.com/blog/mta-sts.

[poolpOrg]

This is a bit controversial.

If this didn't get adopted by Gmail, I would have rejected the feature request because an HTTP client has nothing to do in an SMTP server ... but I'm also realistic and this decision by Google coupled with how easy it is to put a file on a webserver vs setting up DANE may cause MTA-STS to be adopted at large.

I think we should be cautious and don't run into this but rather wait a release and see in April 2020, a year after Gmail is pushing for this, if this actually caught up.

Note that we're going to be reworking the MTA layer so starting any work in the MTA layer right now is not sensible anyways.

[ArchangeGabriel]

Yeah I understand the mixed feelings about HTTP in a SMTP client. Still, HTTP is already required to do OCSP (but I guess this {sh,c}ould be left to the underlying TLS library).

But of course this can wait, for now we don’t even have smtpd 6.4 on Arch (still didn’t have the time to look at libressl packaging), and I personnally wait more on being able to plug rspamd with smtpd than supporting MTA-STS.

Hopefully MTA-STS should go away at some point, once TLS will be the only accepted way to deliver email. ;)

[kpcyrd]

friendly ping, since it is April 2020 now. :) I found this issue after I noticed the EFF is currently pushing for mta-sts as well with https://starttls-everywhere.org/

[ichdasich]

Two years later (quiet exactly ;-)), and i thought i'd give this another push. Of course--as with all 'fancy' new mail technology--MTA-STS is 'hardly in the area where you could talk about adoption'; But it would be nice to have in my pursuit of running a mail system doing $all_the_fancy_things.

[jezcaudle]

The UK National Cyber Security Centre recommend this is switched on via their email security check thing that can be found here: https://emailsecuritycheck.service.ncsc.gov.uk

Would love to see it in OpenSMTPd.