On 2018-04-16 at 11:45 -0700, Ned Freed wrote: > AFAIK this does not happen in MTA-STS, that is, at no time is the MX hostname > obtained from the DNS checked against the "mx" list from the MTA-STS policy. > Rather, the DNS-ID of the certificate returned by the server is checked > against > the "mx" list from the MTA-STS policy. This means that the mx hostnames may > not > align with the certificates. > > If you believe otherwise, I'd appreciate a pointer to where in the > specification it says that MX hostnames are supposed to be checked against > the "mx" list.
I missed that somewhere between draft -02 and draft -15 this text was changed and the requirement downgraded. That's a depressing change. -Phil _______________________________________________ mailop mailing list firstname.lastname@example.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop