When using STARTTLS for SMTP, should one trust CAs that are not trusted by major browser like for example WoSign or StartCom?
As STARTTLS falls back to plaintext it seems an encrypted transmission via a not trusted certificate would still be better than just plaintext right?
It depends.
Basically you have the choice to:
Always require a valid certificate. This obviously means you have to disable fallback to plaintext and enforce TLS use. This will prevent some servers and the people using them from sending you mail.
If you can't enforce to use TLS, it doesn't make any sense to enforce a valid certificate. A encrypted connection with a invalid certificate is still better than no encryption at all.
If you use the second approach, it makes sense to enforce TLS for some domains. One thing is to only allow TLS connections for domains with valid DNSSEC/DANE data. For postfix this could be set with:
postconf -e "smtpd_use_tls = yes"
postconf -e "smtp_dns_support_level = dnssec"
postconf -e "smtp_tls_security_level = dane"
You can also add some domains which send mails regularly to you to a list and enforce TLS with valid certificates, if you know they support it.
