ietf-smtp
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [ietf-smtp] Validating MTA-STS setup, by writing to improperly configured MTA-STS sites

2022-01-14 02:52:26
from [Daniel Margolis] [Permanent Link] 
Even easier, you could just set up a domain/subdomain (say, "
test.yourdomain.com") with a valid MX but an MTA-STS policy that lists the
wrong MX names.

E.g. you could add:

an MX record of aspmx.l.google.com
a TXT record of _mta-sts = "v=STSv1; id=whatever;"

and at https://mta-sts.[yourdomain]/.well-known/mta-sts.txt you would serve

version: STSv1
mode: enforce
*mx: comcast.net <http://comcast.net>*
max_age: 86400

No need to mess about with the MTA at all if you just want to ensure that
name mismatches are caught/enforced. :)

I do think it would be worthwhile to have multiple subdomains with
different failure modes for more complete testing, but if you just want to
see if at least some validation is happening, the above is the easiest way
to check, I think.


Dan

On Mon, Jan 10, 2022 at 8:52 PM Brotman, Alex <Alex_Brotman=
40comcast(_dot_)com(_at_)dmarc(_dot_)ietf(_dot_)org> wrote:


Could you simulate this by having your outbound not attempt STARTTLS
(perhaps just to a specific host)? If your MTA code understands the
difference between not-offered and not-attempted, that wouldn't work.  Just
a thought.

--
Alex Brotman
Sr. Engineer, Anti-Abuse & Messaging Policy
Comcast


-----Original Message-----
From: ietf-smtp <ietf-smtp-bounces(_at_)ietf(_dot_)org> On Behalf Of ????? 
????????
Sent: Monday, January 10, 2022 11:53 AM
To: ietf-smtp(_at_)ietf(_dot_)org
Subject: [ietf-smtp] Validating MTA-STS setup, by writing to improperly
configured MTA-STS sites

Hello,

I want to validate, that outgoing MTA-STS does work correctly.  I want to
send an email to a site, which has broken MTA-STS, and see what happens.

Can somebody name a sample site, which (on purpose, for testing purposes,
unintentionally for the moment) announces MTA-STS, but does not offer
STARTTLS?

I found only
https://urldefense.com/v3/__https://mtasts.xyz/__;!!CQl3mcHX2A!TTR4o6
1qatE9S6m9-9E3V266j07tny3GsF_Gb-Cme7r-
bqM2EnnrsBWVuvBYC0D3pGbE_raAtg$  trying to perform outbound tests,
but its MTA-STA setup is too broken - the certificates are outdated and

the

HTTP-policy is thus ignored.

Greetings
  Дилян

_______________________________________________
ietf-smtp mailing list
ietf-smtp(_at_)ietf(_dot_)org
https://urldefense.com/v3/__https://www.ietf.org/mailman/listinfo/ietf-
smtp__;!!CQl3mcHX2A!TTR4o61qatE9S6m9-9E3V266j07tny3GsF_Gb-Cme7r-
bqM2EnnrsBWVuvBYC0D3pGYo8Sdz-Q$

_______________________________________________
ietf-smtp mailing list
ietf-smtp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf-smtp




-- 
How's my emailing? http://go/dan-email-slo

_______________________________________________
ietf-smtp mailing list
ietf-smtp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf-smtp
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [ietf-smtp] SMTP Code for Undesirable Messages, Brotman, Alex
Next by Date:  [ietf-smtp] SMTP Response for Detected Spam (SRDS), Brotman, Alex
Previous by Thread:  Re: [ietf-smtp] Validating MTA-STS setup, by writing to improperly configured MTA-STS sites, Brotman, Alex
Next by Thread:  Re: [ietf-smtp] SMTP Code for Undesirable Messages, John C Klensin
Indexes:  [Date] [Thread] [Top] [All Lists]