Den 15-05-2021 kl. 03:53 skrev Eric Germann via mailop: > I’ve enabled MTA-STS for the domain semperen.com <http://semperen.com>.
Adding DANE and/or MTA-STS configurations is one thing, another would be if your mail server actually allow (or even signals that it allows the upgrade to) encrypted connections. > I see these for various sending-mta-ip’s which I assume are the > outbound gmail gateways. What I’m trying to figure out is why there > is a failed session count. > > semperen.com <http://semperen.com> mta-sts passes > with https://esmtp.email/tools/mta-sts/ > <https://esmtp.email/tools/mta-sts/> Even though the certificate validation passes, this site yells about: > Added missing ending \r\n to MTA-STS policy for further evaluation > > MTA-STS contains lines with no CRLF termination -> https://datatracker.ietf.org/doc/html/rfc8461#section-3.2 <https://datatracker.ietf.org/doc/html/rfc8461#section-3.2> It does for example say: > This resource contains the following CRLF-separated key/value pairs: Your MTA-STS policy file seems to be only LF-separated (\n). > semperen.com <http://semperen.com> mta-sls fails > with https://aykevl.nl/apps/mta-sts/ > <https://aykevl.nl/apps/mta-sts/> . It throws a certificate > validation error. It seems to do strict validation whether or not the SMTP server signals that it allows STARTTLS or not. Since their server never sees the "250-STARTTLS" response from your server, they won't try it. As such, they don't get the certificates, and the certificate validation fails as well. * It seems like a hit and miss on your server, regarding whether the "250-STARTTLS" response is there or not. Some locations do show it, others don't. > > For the STARTTLS cert I’m using LetsEncrypt. DANE is also in place. Some "Operational BCP" (in regards to DANE): -> https://imrryr.org/~viktor/ICANN61-viktor.pdf <https://imrryr.org/~viktor/ICANN61-viktor.pdf> [Page 25] -> http://files.nylug.org/2018/nylug-20181017-dnssec-dane.pdf <http://files.nylug.org/2018/nylug-20181017-dnssec-dane.pdf> [Page 46] says: > Don't offer STARTTLS selectively to just some clients But this is exactly what your SMTP server does, and as such, it will produce mixed ("selective") results, too... > > My question is what could be the cause of the failure? > > 1.Certificate validation error in the certificate chain > 2.No reverse DNS for the IPv6 address > > The host is in AWS and has a PTR for IPv4 setup correctly. Not sure > if you can do a PTR for IPv6 in AWS A valid and consistent reverse DNS configuration (FcRDNS) does not hurt for inbound only mail servers (MX), but it is technically not really necessary / relevant, if being "inbound only". It does however become necessary / relevant, if those IP(v6) addresses also have the outbound role, and takes care of deliveries directly over that IP(v6) addresses to third parties. > Received: from smtp.semperen.com (unknown > [IPv6:2600:1f16:940:9420:c0eb:3db8:9c94:df05]) > (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) > (No client certificate requested) > by mx.mailop.org (Postfix) with ESMTPS id 4FhpZY1wh6z8slr > for <[email protected]>; Sat, 15 May 2021 04:03:01 +0200 (CEST) Since your "smtp.semperen.com" is definitely taking care of the outbound role here, it is necessary / relevant (... as in, mandatory, for most destinations). -> https://forums.aws.amazon.com/thread.jspa?threadID=248430 <https://forums.aws.amazon.com/thread.jspa?threadID=248430> -> https://forums.aws.amazon.com/thread.jspa?threadID=249021 <https://forums.aws.amazon.com/thread.jspa?threadID=249021> -> https://forums.aws.amazon.com/thread.jspa?threadID=250565 <https://forums.aws.amazon.com/thread.jspa?threadID=250565> Others have apparently had luck, according to these threads, so I would definitely, and strongly, advice you to also pursue the IPv6 PTR. That being said, the PTR stuff itself isn't technically relevant, if we should be strictly on topic for the issue(s) mentioned in this thread. > Any thoughts would be appreciated. Fix the MTA-STS policy's (CR)LF line endings / separations, by making them properly with CRLF (\r\n) rather than only LF (\n). Make sure that your SMTP server returns "250-STARTTLS" consistently to all clients. -- Med venlig hilsen / Kind regards, Arne Jensen _______________________________________________ mailop mailing list [email protected] https://list.mailop.org/listinfo/mailop
