Message-ID:

"Be excellent to each other." -- Bill, or Ted, in Bill and Ted's Excellent Adventure

computers / comp.mail.sendmail / Re: MTA-STS in production

MTA-STS in production

<ui2pqa$5pr$1@bastet.speedkom.net>

https://news.novabbs.org/computers/article-flat.php?id=1835&group=comp.mail.sendmail#1835

copy link Newsgroups: comp.mail.sendmail

Path: i2pn2.org!rocksolid2!news.neodome.net!news.mixmin.net!news2.arglkargh.de!news.karotte.org!news.iks-jena.de!speedkom.net!not-for-mail
From: ask@eb6.srv.ke3.speedkom.net (Andreas S. Kerber)
Newsgroups: comp.mail.sendmail
Subject: MTA-STS in production
Date: Fri, 3 Nov 2023 12:41:46 +0000 (UTC)
Organization: IDKOM Networks GmbH
Lines: 42
Message-ID: <ui2pqa$5pr$1@bastet.speedkom.net>
NNTP-Posting-Host: eb6.srv.ke3.speedkom.net
X-Trace: bastet.speedkom.net 1699015306 5947 2001:14e0::31 (3 Nov 2023 12:41:46 GMT)
X-Complaints-To: abuse@speedkom.net
NNTP-Posting-Date: Fri, 3 Nov 2023 12:41:46 +0000 (UTC)

by: Andreas S. Kerber - Fri, 3 Nov 2023 12:41 UTC

Anybody using MTA-STS in production?

I just gave it a go using mta-sts-resolver 1.4.0 and sendmail:

| Version 8.17.2
| Compiled with: DANE DNSMAP IPV6_FULL LOG MAP_REGEX MATCHGECOS MILTER
| MIME7TO8 MIME8TO7 NAMED_BIND NETINET NETINET6 NETUNIX NEWDB=5.3
| PIPELINING SASLv2 SCANF SOCKETMAP STARTTLS TLS_VRFY_PER_CTX
| USERDB XDEBUG

sendmail is compiled with _FFR_MTA_STS and FEATURE(`sts') has been added.

According to tcpdump I can see that sendmail is successfully talking to
the mta-sts-resolver via port 5461 and the resolver seems to give a
positive answer back to sendmail, but according to sendmail logs it doesn't
seem to like to talk to the designated MX.

Log:
| Nov 3 10:34:09 frontend3 sendmail[1199706]: ruleset=tls_server, arg1=FAIL, relay=aspmx.l.google.com, reject=403 4.7.0 authentication failed
| Nov 3 10:34:09 frontend3 sendmail[1199706]: ruleset=tls_server, arg1=FAIL, relay=alt1.aspmx.l.google.com, reject=403 4.7.0 authentication failed
| Nov 3 10:34:10 frontend3 sendmail[1199706]: ruleset=tls_server, arg1=FAIL, relay=alt2.aspmx.l.google.com, reject=403 4.7.0 authentication failed
| Nov 3 10:34:12 frontend3 sendmail[1199706]: ruleset=tls_server, arg1=FAIL, relay=alt4.aspmx.l.google.com, reject=403 4.7.0 authentication failed
| Nov 3 10:34:13 frontend3 sendmail[1199706]: ruleset=tls_server, arg1=FAIL, relay=alt3.aspmx.l.google.com, reject=403 4.7.0 authentication failed
| Nov 3 10:34:13 frontend3 sendmail[1199706]: 3A39STIU1196890: to=<XXXXX@derago.com>, delay=00:05:44, xdelay=00:00:04, mailer=esmtp, pri=321206, relay=alt3.aspmx.l.google.com. [IPv6:2a00:1450:4010:c1c:0:0:0:1a], dsn=4.7.0, stat=Deferred: 403 4.7.0 authentication failed

tcpdump an port 5461 and using "strings" to get something readable:
{...}
| 14:sts derago.com,
| 4TI@
| 150:OK secure match=alt4.aspmx.l.google.com:alt1.aspmx.l.google.com:aspmx.l.google.com:alt2.aspmx.l.google.com:alt3.aspmx.l.google.com servername=hostname,
| 14:sts derago.com,

A manual mta-sts query seems to match the MX:

| # mta-sts-query derago.com
| (<STSFetchResult.VALID: 1>, ('20201030143700', {'mx': ['alt1.aspmx.l.google.com', 'alt3.aspmx.l.google.com', 'alt4.aspmx.l.google.com', 'alt2.aspmx.l.google.com', 'aspmx.l.google.com'], 'version': 'STSv1', 'mode': 'enforce', 'max_age': 604800}))

Anybody using MTA-STS successfully and maybe got a hint for me?

Re: MTA-STS in production

<ui32vh$kta$1@bastet.speedkom.net>

copy mid

https://news.novabbs.org/computers/article-flat.php?id=1836&group=comp.mail.sendmail#1836

copy link Newsgroups: comp.mail.sendmail

Path: i2pn2.org!i2pn.org!weretis.net!feeder8.news.weretis.net!news.datentrampelpfad.de!news.iks-jena.de!speedkom.net!not-for-mail
From: ask@eb6.srv.ke3.speedkom.net (Andreas S. Kerber)
Newsgroups: comp.mail.sendmail
Subject: Re: MTA-STS in production
Date: Fri, 3 Nov 2023 15:18:09 +0000 (UTC)
Organization: IDKOM Networks GmbH
Lines: 5
Message-ID: <ui32vh$kta$1@bastet.speedkom.net>
References: <ui2pqa$5pr$1@bastet.speedkom.net>
NNTP-Posting-Host: eb6.srv.ke3.speedkom.net
X-Trace: bastet.speedkom.net 1699024689 21418 2001:14e0::31 (3 Nov 2023 15:18:09 GMT)
X-Complaints-To: abuse@speedkom.net
NNTP-Posting-Date: Fri, 3 Nov 2023 15:18:09 +0000 (UTC)

by: Andreas S. Kerber - Fri, 3 Nov 2023 15:18 UTC

Subject	Author
MTA-STS in production	Andreas S. Kerber
MTA-STS in production	Andreas S. Kerber

"Be *excellent* to each other." -- Bill, or Ted, in Bill and Ted's Excellent Adventure

computers / comp.mail.sendmail / Re: MTA-STS in production

"Be excellent to each other." -- Bill, or Ted, in Bill and Ted's Excellent Adventure