search

Snawoot / postfix-mta-sts-resolver

Daemon which provides TLS client policy for Postfix via socketmap, according to domain MTA-STS policy
MIT License
121 stars 23 forks source link

How to test successful postfix-mta-sts-resolver setup? #83

Open dilyanpalauzov opened 2 years ago

dilyanpalauzov commented 2 years ago

I just installed Sendmail 8.17.2 and postfix-mta-sts-resolver . I want to verity my setup, by sending to a site, which announces MTA-STS support but does not offer STARTTLS. The only site I found was https://mtasts.xyz/ , however its policy cannot be fetched, as the certificate for the web and smtp servers are expired. As such the policy is ignored. The site writes “Please send more suggestions so we can list them here!” and “If you know of anything else similar, please let us know!”, without saying how to contact the site owners.

Please extend the setup instructions for postfix-mta-sts-resolver, clarifying how the setup can be validated. E.g. by mentioning a misconfigured mail domain, which announces MTA-STS, but not not offer MTA-STS.

Snawoot commented 2 years ago

Hello,

This is already covered for Postfix in README: https://github.com/Snawoot/postfix-mta-sts-resolver#operability-check

I'm not sure about Sendmail because I've never tried it with pmsr and integration with pmsr in Sendmail is relatively new. I'll leave this issue open, maybe other people may suggest any difference in logs which or anything what allows to validate correctness of setup.

dilyanpalauzov commented 2 years ago

To validate the lookup in sendmail one has to call

# sendmail -bt
ADDRESS TEST MODE (ruleset 3 NOT automatically invoked)
Enter <ruleset> <address>
> /map sts github.com
map_lookup: sts (github.com) no match (68)
> /map sts microsoft.com
map_lookup: sts (microsoft.com) returns secure match=.mail.protection.outlook.com servername=hostname (0)
>

My question was rather about a site, which on purpose has misconfigured its MTA-STS setup. Thus, when a sender has properly configured MTA-STS for outbound mails, writing to that site will fail.

Snawoot commented 2 years ago

@dilyanpalauzov Ah, now I get it. I also was collaborating with STARTTLS Everywhere project, there was an idea to build something like https://badssl.com/ but for MTA-STS. It was never implemented, though. Would be nice if somebody will make it.

dilyanpalauzov commented 2 years ago

I raised the question on the ietf-smtp maling list - https://mailarchive.ietf.org/arch/msg/ietf-smtp/59u831ZQlnhGhTmmmcxDwboxZyk/ .

schildbach commented 9 months ago

It would help if postfix-mta-sts-resolver would log validations and their outcome, at least one line per validation?