In article <canhgq8h0dnnqczrp0rxxzhlh+d52vsqiryok8pu9ffifzwb...@mail.gmail.com> you write: >> Thus, my take is that MTA-STS policies with a max_age less than ~30 days >> are potentially ineffective, and perhaps not worth the bother. > >Sure, for production use. > >The issue I am seeing is this: New users are experimenting with MTA-STS and >wish to use a small policy duration until they're confident in their >configuration. They use values in hours and don't get any reports. > >Perhaps there's a case for specifying a minimum acceptable policy duration >in RFC errata or something?
I publish 86400 max_age and get lots of reports, mostly from Google and Comcast. If they're testing they should be using testing mode, and the age doesn't matter so much. version: STSv1 mode: testing mx: <whatever> max_age: 86400 My setup is a little odd because my mail servers have a different name for each domain pointed at them so I'm also testing whether clients provide SNI to ask for the right certificate and my servers correctly provide it. As far as I can tell they all do. It's not a perfect test because all of the certs for each server have the same key and so the same TLSA which (I think, Viktor?) would work even if it provided the wrong certificate. _______________________________________________ Uta mailing list [email protected] https://www.ietf.org/mailman/listinfo/uta
