Re: [mailop] MTA-STS issues

Sat, 15 May 2021 07:14:40 -0700 

On 15.05.21 14:43, Arne Jensen via mailop wrote:


Den 15-05-2021 kl. 03:53 skrev Eric Germann via mailop:

I’ve enabled MTA-STS for the domain semperen.com <http://semperen.com>.


many good remarks  snipped

My question is what could be the cause of the failure?

1.Certificate validation error in the certificate chain
2.No reverse DNS for the IPv6 address

The host is in AWS and has a PTR for IPv4 setup correctly.  Not sure
if you can do a PTR for IPv6 in AWS


I would add that trying to connect to the site  with

posttls-finger  -P /etc/ssl/certs  smtp.semperen.com

get me tls1.0 only and that might not be tasty to everyone:
posttls-finger: using DANE RR: _25._tcp.smtp.semperen.com IN TLSA 3 1 1 AE:09:ED:EB:71:07:75:5D:83:B6:98:FE:D6:3D:A0:B0:B3:DC:F7:50:14:F1:78:EE:4D:32:99:64:61:95:2B:60 
posttls-finger: Connected to smtp.semperen.com[3.13.72.96]:25
posttls-finger: < 220 smtp.semperen.com ESMTP Postfix
posttls-finger: > EHLO smtp2.dotforge.ch
posttls-finger: < 250-smtp.semperen.com
posttls-finger: < 250-STARTTLS
posttls-finger: < 250-SIZE 200000000
posttls-finger: < 250-VRFY
posttls-finger: < 250-AUTH PLAIN LOGIN
posttls-finger: < 250-ENHANCEDSTATUSCODES
posttls-finger: < 250-8BITMIME
posttls-finger: < 250 DSN
posttls-finger: > STARTTLS
posttls-finger: < 220 2.0.0 Ready to start TLS
posttls-finger: smtp.semperen.com[3.13.72.96]:25: depth=0 matched end entity public-key sha256 digest=AE:09:ED:EB:71:07:75:5D:83:B6:98:FE:D6:3D:A0:B0:B3:DC:F7:50:14:F1:78:EE:4D:32:99:64:61:95:2B:60 posttls-finger: smtp.semperen.com[3.13.72.96]:25: Matched subjectAltName: smtp.semperen.com posttls-finger: smtp.semperen.com[3.13.72.96]:25: subjectAltName: www.smtp.semperen.com posttls-finger: smtp.semperen.com[3.13.72.96]:25 CommonName smtp.semperen.com posttls-finger: smtp.semperen.com[3.13.72.96]:25: subject_CN=smtp.semperen.com, issuer_CN=Sectigo RSA Domain Validation Secure Server CA, fingerprint=9E:20:AB:54:BF:CB:D8:6E:22:21:A8:9D:4C:69:33:E9:DF:BC:AD:FD, pkey_fingerprint=9F:D5:08:68:79:73:22:8C:A9:AC:92:89:1D:5C:B1:15:7E:57:FF:DB posttls-finger: Verified TLS connection established to smtp.semperen.com[3.13.72.96]:25: TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits) 

--

Marcel de Riedmatten



_______________________________________________
mailop mailing list
[email protected]
https://list.mailop.org/listinfo/mailop

Reply via email to