> On Sep 30, 2018, at 2:56 AM, Hanno Böck <[email protected]> wrote:
>
>> Does that really mean I have to setup thousand+ virtual hosts
>> https://mta-sts.domain1...1000.example? Or are there other strategies
>> for hosting provider?
>
> This seems to be the one thing that is confusing a lot of people about
> MTA-STS. The answer is yes you have to, no, there are no other
> strategies.
>
> The policy host is the thing that ties your domain name's identity to
> your policy.
This is one way in which DANE is less onerous. For a domain with
signed MX records, the TLSA records are in the provider's zone
at _25._tcp.the.mxhost.example. Allowing just one TLSA RRset
managed by the provider to take care of all the (signed) hosted
domains. This works even when the MX hosting provider does not
control the customer's domain, and is not in a position to
obtain the requisite certificates. In that case setting up the
MTA-STS policy is up to the customer.
--
Viktor.
_______________________________________________
Uta mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/uta
