Alexey Melnikov wrote:
... one of the references for DANE -- RFC 6125 -- seems to be exactly
what I was looking for. Unfortunately, it very deliberately codifies
the language from RFC 2818 for wildcards, with the established
practice for SMTP being a SHOULD NOT.
Backward compatibility might be a sufficient reason to violate the
SHOULD NOT.
I don't think it's that easy. The issue is with Email virtual hosting
implementations that embed the virtual domain name (or any token with
dots in it) in the MX record. For example, if you look up the MX record
for gutekunst.org, you'll see:
gutekunst.org. 86382 IN MX 100
gutekunst.org.s8a1.psmtp.com.
gutekunst.org. 86382 IN MX 200
gutekunst.org.s8a2.psmtp.com.
gutekunst.org. 86382 IN MX 300
gutekunst.org.s8b1.psmtp.com.
gutekunst.org. 86382 IN MX 400
gutekunst.org.s8b2.psmtp.com.
Postini's SSL certificate reads:
Subject: C=US, ST=California, L=Mountain View, O=Google Inc, CN=*.psmtp.com
I'm sure they aren't the only ESP that does this; MXLogic for sure,
probably CheckFree, possibly FrontBridge.
<csg>