Add support for RFC 8461: SMTP MTA Strict Transport Security (MTA-STS)
SMTP MTA Strict Transport Security (MTA-STS) is a mechanism enabling mail service providers (SPs) to declare their ability to receive Transport Layer Security (TLS) secure SMTP connections and to specify whether sending SMTP servers should refuse to deliver to MX hosts that do not offer TLS with a trusted server certificate.
Abstract from RFC: https://tools.ietf.org/html/rfc8461
Some organizations or governments require or prefer the implementation of either DANE or MTA-STS.
Wijbren de Vries / www.mailreport.eu commented
And the reporting part RFC8460
Michael K commented
There are a number of changes that could be included under this suggestion:
1. Support enforcing MTA-STS for mail being sent from Office 365 to Third Party Domains.
2. Permit Office 365 users to publish an MTA-STS policy for their own domains.
I have being publishing this MTA-STS policy since September 2018 without issue.
Confirmation from Microsoft that the certificates will always be *.mail.protection.outlook.com, and some brief documentation about MTA-STS would enable users to turn a similar policy on immediately and without significant (or any) changes on Microsofts side.
I do not see any benefit in using Policy Delegation (https://tools.ietf.org/html/rfc8461#section-8.2) unless the certificate domain is expected to change. Operationally, having Microsoft generate certificates for mta-sts.<my domain> is going to be painful for everybody, and given that it was never done for Autodiscovery, Sharepoint, etc. makes me believe that is is not planned for MTA-STS.
So permitting MTA-STS policies to be published should be quick win on the second element. As Microsoft were one of the authors of the RFC I'm surprised it has not been implemented yet.
Glenn Mckenna commented
Do we have an update on this ?
Like a target role out ?