1. Forum
  2. Usenet
  3. COMP.MAIL.SENDMAIL

  • MTA-STS in production

    From Andreas S. Kerber@21:1/5 to All on Fri Nov 3 12:41:46 2023
    Anybody using MTA-STS in production?

    I just gave it a go using mta-sts-resolver 1.4.0 and sendmail:

    | Version 8.17.2
    | Compiled with: DANE DNSMAP IPV6_FULL LOG MAP_REGEX MATCHGECOS MILTER
    | MIME7TO8 MIME8TO7 NAMED_BIND NETINET NETINET6 NETUNIX NEWDB=5.3
    | PIPELINING SASLv2 SCANF SOCKETMAP STARTTLS TLS_VRFY_PER_CTX
    | USERDB XDEBUG

    sendmail is compiled with _FFR_MTA_STS and FEATURE(`sts') has been added.

    According to tcpdump I can see that sendmail is successfully talking to
    the mta-sts-resolver via port 5461 and the resolver seems to give a
    positive answer back to sendmail, but according to sendmail logs it doesn't seem to like to talk to the designated MX.

    Log:
    | Nov 3 10:34:09 frontend3 sendmail[1199706]: ruleset=tls_server, arg1=FAIL, relay=aspmx.l.google.com, reject=403 4.7.0 authentication failed
    | Nov 3 10:34:09 frontend3 sendmail[1199706]: ruleset=tls_server, arg1=FAIL, relay=alt1.aspmx.l.google.com, reject=403 4.7.0 authentication failed
    | Nov 3 10:34:10 frontend3 sendmail[1199706]: ruleset=tls_server, arg1=FAIL, relay=alt2.aspmx.l.google.com, reject=403 4.7.0 authentication failed
    | Nov 3 10:34:12 frontend3 sendmail[1199706]: ruleset=tls_server, arg1=FAIL, relay=alt4.aspmx.l.google.com, reject=403 4.7.0 authentication failed
    | Nov 3 10:34:13 frontend3 sendmail[1199706]: ruleset=tls_server, arg1=FAIL, relay=alt3.aspmx.l.google.com, reject=403 4.7.0 authentication failed
    | Nov 3 10:34:13 frontend3 sendmail[1199706]: 3A39STIU1196890: to=<XXXXX@derago.com>, delay=00:05:44, xdelay=00:00:04, mailer=esmtp, pri=321206, relay=alt3.aspmx.l.google.com. [IPv6:2a00:1450:4010:c1c:0:0:0:1a], dsn=4.7.0, stat=Deferred: 403 4.7.0
    authentication failed


    tcpdump an port 5461 and using "strings" to get something readable:
    {...}
    | 14:sts derago.com,
    | 4TI@
    | 150:OK secure match=alt4.aspmx.l.google.com:alt1.aspmx.l.google.com:aspmx.l.google.com:alt2.aspmx.l.google.com:alt3.aspmx.l.google.com servername=hostname,
    | 14:sts derago.com,


    A manual mta-sts query seems to match the MX:

    | # mta-sts-query derago.com
    | (<STSFetchResult.VALID: 1>, ('20201030143700', {'mx': ['alt1.aspmx.l.google.com', 'alt3.aspmx.l.google.com', 'alt4.aspmx.l.google.com', 'alt2.aspmx.l.google.com', 'aspmx.l.google.com'], 'version': 'STSv1', 'mode': 'enforce', 'max_age': 604800}))

    Anybody using MTA-STS successfully and maybe got a hint for me?

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Andreas S. Kerber@21:1/5 to All on Fri Nov 3 15:18:09 2023
    nevermind. I used a wrong "CACertFile". verification and delivery with
    MTA-STS works fine now.

    Nov 3 16:14:42 frontend3 sendmail[1336470]: STARTTLS=client, relay=aspmx.l.google.com., version=TLSv1.3, verify=OK, cipher=TLS_AES_256_GCM_SHA384, bits=256/256

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)