Btw. If MTA-STS fails one won't get any report from MS at all (google is 
sending them in disregard to your MTA-STS policy). So one has to fix the 
MTA-STS problem first to see the failed connections from MS. I'd say, that is 
kind of useless because I get the reports when the problems are solved.

Regards
Norbert

-----Ursprüngliche Nachricht-----
Von: mailop <mailop-boun...@mailop.org> Im Auftrag von Mechiel Lukkien via 
mailop
Gesendet: Sonntag, 17. November 2024 22:42
An: mailop@mailop.org
Betreff: Re: [mailop] SMTP TLS Reports for forged senders.

> Microsoft is sending TLS reports reporting DANE and MTA-STS connections.
> They seem to test and report both of 'em so the count is more or less 
> doubled. If you get 10 connections they report 20 connections (10 for MTA-STS 
> and 10 for DANE).

TLS reporting is about the policies found, and how many connections were
(un)successful against them. If you verify both DANE and MTA-STS, you will
find both policies and you'll have two verification results for each
connection. So I wouldn't say they are reporting the connections twice.

I recently received "validation failures" in TLS reports from Microsoft. The
failures were only counting towards the MTA-STS policy, not towards the DANE
policy, even though the problem appears to be with a TLS stack
incompatibility (with the Go TLS stack). TLS reporting is about MTA-STS and/or
DANE verification. So other kinds of TLS errors will probably be reported

differently based on implementations (and possibly with not-quite-correct
failure codes).
Another quirk, the Microsoft DANE TLS reporting implementation seems to
double-JSON-encode the TLSA records. Example with two TLSA records:

        "policy": {
                "policy-type": "tlsa",
                "policy-string": [
                        "[\"3 1 1 
5C046FF012891B5F0D6176024C5C25FF486A7C12B8000FDF8B418AB3ECF6D309\",\"3 1 1 
CEC87FB33D2A7499CA78E824E59B77531AC1FDEC7378FC81FCE7E5D213A364AB\"]"
                ],
                "policy-domain": "ueber.net"
        },

Cheers,
Mechiel
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Attachment: smime.p7s
Description: S/MIME cryptographic signature

_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Reply via email to