Am 08.01.19 um 21:59 schrieb John R Levine: > I have about 80 domains pointed at my mail server. I control the DNS for all > of them but I can't see any reasonable way to make MTA-STS work. > > I can set up the TXT records easily enough, but it looks like I need an HTTPS > server with 80 names and 80 certficates, or one certificate with 80 alt > names. That doesn't scale very well. > > Adding to the excitement, every domain has its own name for the mail server, > e.g., for foo.com the mail server name is mx1.foo.com, all pointing at the > same IP address. (This is not unusual; Tucows hostedemail does the same > thing with much longer names.) So I'll need 80 names on the mail server > certificates, too. > > Am I missing anything here?
my (not yet deployed at scale) setup looks like this. Hope, this is not entirely broken :-) - assumption: many customer domains have a shared MX - use https://github.com/danmarg/sts-mate as Webserver - setup 3 instances announcing my MX set, one instance per policy "none/testing/enforce" - name them mta-sts-policy-none.example.net, mta-sts-policy-testing.example.net and mta-sts-policy-enforce.example.net - setup 3 instances _mta-sts-policy-none|testing|enforce.example.net they propagate a policy date to enable a MTA-STS on a customer domain, you only add 2 CNAMEs - mta-sts.customer.example CNAME mta-sts-policy-enforce.example.net - _mta-sts.customer.example CNAME _mta-sts-policy-enforce.example.org Daniels sts-mate fetch LE certificates on demand. Andreas _______________________________________________ Uta mailing list [email protected] https://www.ietf.org/mailman/listinfo/uta
