Heho, Debugging this further, "MTA-STS DNS Policy" is also marked x when the TXT record is present but the policy is faulty, e.g., due to a non-compliant MX. So, everything as it should be in this case.
With best regards, Tobias -- Dr.-Ing. Tobias Fiebig T +31 616 80 98 99 M tob...@fiebig.nl -----Original Message----- From: mailop <mailop-boun...@mailop.org> On Behalf Of Tobias Fiebig via mailop Sent: Tuesday, 9 August 2022 17:57 To: 'Luis E. Muñoz' <mailop@lem.click> Cc: mailop@mailop.org; 'Eric Tykwinski' <eric-l...@truenet.com> Subject: Re: [mailop] Debugging MTA-STS sending Heho, Currently not sue why the DNS policy is missing. Will revisit the RFC, might be due to ttl. dig +short TXT _mta-sts.mail-mtasts.measurement.email-security-scans.org "v=STSv1; id=2022080902" With best regards, Tobias -----Original Message----- From: Luis E. Muñoz <mailop@lem.click> Sent: Tuesday, 9 August 2022 17:11 To: Tobias Fiebig <tob...@fiebig.nl> Cc: Eric Tykwinski <eric-l...@truenet.com>; mailop@mailop.org Subject: Re: [mailop] Debugging MTA-STS sending On 9 Aug 2022, at 10:27, Tobias Fiebig via mailop wrote: > This is interesting. The certificate for tls-invalid should a) not match the > CN, and b) be expired. The ": b'84:OK secure > match=tls-invalid.measurement.email-security-scans.org servername=hostname,'" > is hence a bit confusing. Also just tested it with 'openssl s\_client > -starttls smtp -crlf -connect > tls-invalid.measurement.email-security-scans.org:25' just now, and the CN > does indeed not match. https://esmtp.email/tools/mta-sts/ also is reporting on a missing DNS policy. The cert is reported as expired as well. -lem _______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop _______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop