Anybody using MTA-STS in production?
I just gave it a go using mta-sts-resolver 1.4.0 and sendmail:
| Version 8.17.2
| Compiled with: DANE DNSMAP IPV6_FULL LOG MAP_REGEX MATCHGECOS MILTER
| MIME7TO8 MIME8TO7 NAMED_BIND NETINET NETINET6 NETUNIX NEWDB=5.3
| PIPELINING SASLv2 SCANF SOCKETMAP STARTTLS TLS_VRFY_PER_CTX
| USERDB XDEBUG
sendmail is compiled with _FFR_MTA_STS and FEATURE(`sts') has been added.
According to tcpdump I can see that sendmail is successfully talking to
the mta-sts-resolver via port 5461 and the resolver seems to give a
positive answer back to sendmail, but according to sendmail logs it doesn't seem to like to talk to the designated MX.
Log:
| Nov 3 10:34:09 frontend3 sendmail[1199706]: ruleset=tls_server, arg1=FAIL, relay=aspmx.l.google.com, reject=403 4.7.0 authentication failed
| Nov 3 10:34:09 frontend3 sendmail[1199706]: ruleset=tls_server, arg1=FAIL, relay=alt1.aspmx.l.google.com, reject=403 4.7.0 authentication failed
| Nov 3 10:34:10 frontend3 sendmail[1199706]: ruleset=tls_server, arg1=FAIL, relay=alt2.aspmx.l.google.com, reject=403 4.7.0 authentication failed
| Nov 3 10:34:12 frontend3 sendmail[1199706]: ruleset=tls_server, arg1=FAIL, relay=alt4.aspmx.l.google.com, reject=403 4.7.0 authentication failed
| Nov 3 10:34:13 frontend3 sendmail[1199706]: ruleset=tls_server, arg1=FAIL, relay=alt3.aspmx.l.google.com, reject=403 4.7.0 authentication failed
| Nov 3 10:34:13 frontend3 sendmail[1199706]: 3A39STIU1196890: to=<
XXXXX@derago.com>, delay=00:05:44, xdelay=00:00:04, mailer=esmtp, pri=321206, relay=alt3.aspmx.l.google.com. [IPv6:2a00:1450:4010:c1c:0:0:0:1a], dsn=4.7.0, stat=Deferred: 403 4.7.0
authentication failed
tcpdump an port 5461 and using "strings" to get something readable:
{...}
| 14:sts derago.com,
| 4TI@
| 150:OK secure match=alt4.aspmx.l.google.com:alt1.aspmx.l.google.com:aspmx.l.google.com:alt2.aspmx.l.google.com:alt3.aspmx.l.google.com servername=hostname,
| 14:sts derago.com,
A manual mta-sts query seems to match the MX:
| # mta-sts-query derago.com
| (<STSFetchResult.VALID: 1>, ('20201030143700', {'mx': ['alt1.aspmx.l.google.com', 'alt3.aspmx.l.google.com', 'alt4.aspmx.l.google.com', 'alt2.aspmx.l.google.com', 'aspmx.l.google.com'], 'version': 'STSv1', 'mode': 'enforce', 'max_age': 604800}))
Anybody using MTA-STS successfully and maybe got a hint for me?
--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)