Context

MTA-STS is the equivalent to HSTS, e.g. a mechanism for a domain to declare that STARTTLS is supported and should be used, even if the initial SMTP exchange is intercepted by bad actors. The protocol is overcomplicated involving both DNS records and HTTPS, but the necessary glue in DMS is minimal.

Description

Install postfix-mta-sts-resolver as part of the container image. Introduce a new flag ENABLE_OUTGOING_MTA_STS flag. If it is set, start /etc/init.d/postfix-mta-sts-resolver and add:

smtp_tls_policy_maps = socketmap:inet:127.0.0.1:8461:postfix

to /etc/postfix/main.cf.

Alternatives

Running postfix-mta-sts-resolver in a separate container is possible, but messy. Current (temporary) workaround is doing it user-patches.sh.

Applicable Users

Anyone sending mails to Gmail and Outlook.

Are you going to implement it?

Yes, because I know the probability of someone else doing it is low and I can learn from it.

What are you going to contribute?

If no one bets me to it, I'll sort out the necessary changes, but the description is pretty much all that is needed beside documentation.