Darkspirit
commented
6 years ago Article 32 (1) b) EU GDPR (comes into force on 25 May 2018) and §13 (7) german Telemediengesetz (already in force) demand state of the art protections - including encryption - anyway.
The current problem is that http://www.postfix.org/postconf.5.html#smtp_tls_security_level makes it impossible to properly configure postfix: For some domains, one might want to configure dane-only. That's fine. As default configuration one had to use dane with a fallback to verify. (Currently dane falls back to may.) For the time being you would probably have to decide between dane-only for some domains and verify as default configuration.
MTA-STS is based on the assumption that sometimes you would transmit emails without encryption. That would be only allowed if you would enforce the use of PGP or S/MIME and delete all other individual-related data from an email. From my point of view, it makes no sense to build MTA-STS into Postfix. Just always enforce StartTLS and send people their Hardenize link to make them aware of their problems.
This obligation only affects people who process emails from EU citizens. Hopefully some law firms will demand cease and desist declarations and spread fear among lawbreakers.
wioxjk
ivanr
Do you plan to implement MTA-STS check too?
https://aykevl.nl/apps/mta-sts/ https://www.ietf.org/proceedings/98/slides/slides-98-uta-sts-update-00.pdf https://datatracker.ietf.org/doc/draft-ietf-uta-mta-sts/