The SMTP MTA Strict Transport Security RFC 8461, 2 clearly states that:
However, MTA-STS is designed not to interfere with DANE deployments when the two overlap; in particular, senders who implement MTA-STS validation MUST NOT allow MTA-STS Policy validation to override a failing DANE validation.
Currently it seems that with the following Postfix configuration the MTA-STA overrides DANE (RFC 6698) validation when the recipient has implemented both, as discussed in the mta-sts-daemon's issue #67, and DANE is only used if the domain is explicitly listed in the first matching smtp_tls_policy_maps (/etc/postfix/tls_policy) as dane-only.
# Opportunistic DANE TLS
smtp_tls_security_level = dane
smtp_dns_support_level = dnssec
# MTA-STS
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
smtp_tls_policy_maps =
hash:/etc/postfix/tls_policy,
socketmap:inet:127.0.0.1:8461:postfix
Has anyone found a way to configure Postfix in a RFC 8461 compliant way, i.e., that MTA-STS policy validation through mta-sts-daemon cannot change the policy maps for domains that have both technologies enabled? Would this require an additional external "dane-daemon" providing dane-only smtp_tls_policy_maps for domains that have DANE enabled?
