Tobias, I'm actually sort of interested now as well.
I just ran this through postfix-mta-sts-resolver (https://github.com/Snawoot/postfix-mta-sts-resolver) Log for test: 2022-08-09 08:52:32 DEBUG STS: len(self._children) = 1 2022-08-09 08:52:32 DEBUG STS: Read: b'56:postfix mail-mtasts.measurement.email-security-scans.org,' 2022-08-09 08:52:32 DEBUG STS: Enq request: b'postfix mail-mtasts.measurement.email-security-scans.org' 2022-08-09 08:52:32 DEBUG STS: Got new future from queue 2022-08-09 08:52:32 DEBUG STS: Lookup PERFORMED: domain = mail-mtasts.measurement.email-security-scans.org 2022-08-09 08:52:32 DEBUG RES: Got STS resolve request: sts_txt_domain=_mta-sts.mail-mtasts.measurement.email-security-scans.org, known_id=None 2022-08-09 08:52:32 DEBUG RES: Parsed STS record for domain 'mail-mtasts.measurement.email-security-scans.org': {'v': 'STSv1', 'id': '2022080901'} 2022-08-09 08:52:33 DEBUG RES: Parsed policy for domain mail-mtasts.measurement.email-security-scans.org: {'mx': ['tls-invalid.measurement.email-security-scans.org'], 'version': 'STSv1', 'mode': 'enforce', 'max_age': '86400'} 2022-08-09 08:52:33 DEBUG STS: Future await complete: data=b'84:OK secure match=tls-invalid.measurement.email-security-scans.org servername=hostname,' 2022-08-09 08:52:33 DEBUG STS: Wrote: b'84:OK secure match=tls-invalid.measurement.email-security-scans.org servername=hostname,' 2022-08-09 08:52:33 DEBUG STS: Client disconnected Log for my server which is valid: 2022-08-09 08:54:09 DEBUG STS: len(self._children) = 1 2022-08-09 08:54:09 DEBUG STS: Read: b'20:postfix virtcolo.com,' 2022-08-09 08:54:09 DEBUG STS: Enq request: b'postfix virtcolo.com' 2022-08-09 08:54:09 DEBUG STS: Got new future from queue 2022-08-09 08:54:09 DEBUG STS: Lookup PERFORMED: domain = virtcolo.com 2022-08-09 08:54:09 DEBUG RES: Got STS resolve request: sts_txt_domain=_mta-sts.virtcolo.com, known_id=None 2022-08-09 08:54:09 DEBUG RES: Parsed STS record for domain 'virtcolo.com': {'v': 'STSv1', 'id': '20220309085700'} 2022-08-09 08:54:09 DEBUG RES: Parsed policy for domain virtcolo.com: {'mx': ['mail.virtcolo.com', '*.virtcolo.com'], 'version': 'STSv1', 'mode': 'enforce', 'max_age': '604800'} 2022-08-09 08:54:09 DEBUG STS: Future await complete: data=b'67:OK secure match=mail.virtcolo.com:.virtcolo.com servername=hostname,' 2022-08-09 08:54:09 DEBUG STS: Wrote: b'67:OK secure match=mail.virtcolo.com:.virtcolo.com servername=hostname,' 2022-08-09 08:54:09 DEBUG STS: Client disconnected Both seem to work fine. Sincerely, Eric Tykwinski TrueNet, Inc. P: 610-429-8300 -----Original Message----- From: mailop <mailop-boun...@mailop.org> On Behalf Of Tobias Fiebig via mailop Sent: Tuesday, August 9, 2022 6:24 AM To: mailop@mailop.org Subject: [mailop] Debugging MTA-STS sending Heho, I am currently trying to debug a test for MTA-STS sending; The setup is a domain with an MX with an invalid certificate to test whether MTA-STS policies are honord (if they are, no mail should be received). I tested this last night with an ESP I know should be honoring MTA-STS; However, while the policy was retrieved from the webserver, the email got ultimately delivered. I also did not get an MTA-STS TLS-RPT, even though other domains got them from the same ESP today. Could some of you who are on a setup that validates MTA-STS please try to send me an email to, and if it (hopefully) fails share the NDR?: measurem...@mail-mtasts.measurement.email-security-scans.org (Alternatively, if you see something wrong in the config, please let me know.) With best regards, Tobias _______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop _______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop