FYI, Recent change in Postfix 3.10.5 and later

[wietse-postfix]

I recently added a new Postfix feature smtp_tls_enforce_sts_mx_patterns (default: yes) to improve STS support. This uses the TLSRPT attributes that postfix-tlspol sends to Postfix 3.10 and later when postfix-mta-sts-resolver's TLSRPT support is enabled. This works even if Postfix TLSRPT support is disabled at build time or at run time.

Citing from https://www.postfix.org/postconf.5.html#smtp_tls_enforce_sts_mx_patterns

Transform the TLS policy from an STS policy plugin: connect to an MX host only if its name matches any STS policy MX host pattern, and match the server certificate against the MX hostname.
[...]
Without the above configuration settings for Postfix and STS plugins, the old behavior stays in effect: connect to any MX host listed in DNS, and match a server certificate against any STS policy MX host pattern.

This feature is available in Postfix ≥ 3.10.5.

Postfix enables this by default because the new behavior is closer to the intention of STS.

[Snawoot]

@wietse-postfix Thank you! That resolves some security concerns reported to me earlier. I recall there was some corner case with wildcard domain in the STS policy and MX presenting domain cert matching that wildcard, but not matching host MTA tries to contact.

I take it everything should work just right if TLSRPT option is enabled on policy server side and no additional changes from my side are required?

[wietse-postfix]

All it needs is Postfix 3.10.5 (which enables the new feature by default) or later, and TLSRPT support enabled in postfix-mta-sts-resolver. Postfix does not need to be TLSRPT-enabled.