Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

How to test successful postfix-mta-sts-resolver setup? #83

Open
dilyanpalauzov opened this issue Jan 10, 2022 · 5 comments
Open

How to test successful postfix-mta-sts-resolver setup? #83

dilyanpalauzov opened this issue Jan 10, 2022 · 5 comments
Assignees
@Snawoot
Labels
bug Something isn't working

Comments

@dilyanpalauzov
Copy link

I just installed Sendmail 8.17.2 and postfix-mta-sts-resolver . I want to verity my setup, by sending to a site, which announces MTA-STS support but does not offer STARTTLS. The only site I found was https://mtasts.xyz/ , however its policy cannot be fetched, as the certificate for the web and smtp servers are expired. As such the policy is ignored. The site writes “Please send more suggestions so we can list them here!” and “If you know of anything else similar, please let us know!”, without saying how to contact the site owners.

Please extend the setup instructions for postfix-mta-sts-resolver, clarifying how the setup can be validated. E.g. by mentioning a misconfigured mail domain, which announces MTA-STS, but not not offer MTA-STS.
@dilyanpalauzov dilyanpalauzov added the bug Something isn't working label Jan 10, 2022
@Snawoot
Copy link
Owner

Snawoot commented Jan 10, 2022

Hello,

This is already covered for Postfix in README: https://github.com/Snawoot/postfix-mta-sts-resolver#operability-check

I'm not sure about Sendmail because I've never tried it with pmsr and integration with pmsr in Sendmail is relatively new. I'll leave this issue open, maybe other people may suggest any difference in logs which or anything what allows to validate correctness of setup.

@dilyanpalauzov
Copy link
Author

To validate the lookup in sendmail one has to call

# sendmail -bt
ADDRESS TEST MODE (ruleset 3 NOT automatically invoked)
Enter <ruleset> <address>
> /map sts github.com
map_lookup: sts (github.com) no match (68)
> /map sts microsoft.com
map_lookup: sts (microsoft.com) returns secure match=.mail.protection.outlook.com servername=hostname (0)
>

My question was rather about a site, which on purpose has misconfigured its MTA-STS setup. Thus, when a sender has properly configured MTA-STS for outbound mails, writing to that site will fail.

@Snawoot
Copy link
Owner

Snawoot commented Jan 10, 2022

@dilyanpalauzov Ah, now I get it. I also was collaborating with STARTTLS Everywhere project, there was an idea to build something like https://badssl.com/ but for MTA-STS. It was never implemented, though. Would be nice if somebody will make it.

@dilyanpalauzov
Copy link
Author

I raised the question on the ietf-smtp maling list - https://mailarchive.ietf.org/arch/msg/ietf-smtp/59u831ZQlnhGhTmmmcxDwboxZyk/ .

@schildbach
Copy link

It would help if postfix-mta-sts-resolver would log validations and their outcome, at least one line per validation?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Snawoot Snawoot

Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@schildbach @Snawoot @dilyanpalauzov