Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
MTA-STS in production
24 views
Skip to first unread message
Andreas S. Kerber
Nov 3, 2023, 8:41:49 AM11/3/23
to
Anybody using MTA-STS in production?
I just gave it a go using mta-sts-resolver 1.4.0 and sendmail:
| Version 8.17.2
| Compiled with: DANE DNSMAP IPV6_FULL LOG MAP_REGEX MATCHGECOS MILTER
| MIME7TO8 MIME8TO7 NAMED_BIND NETINET NETINET6 NETUNIX NEWDB=5.3
| PIPELINING SASLv2 SCANF SOCKETMAP STARTTLS TLS_VRFY_PER_CTX
| USERDB XDEBUG
sendmail is compiled with _FFR_MTA_STS and FEATURE(`sts') has been added.
According to tcpdump I can see that sendmail is successfully talking to
the mta-sts-resolver via port 5461 and the resolver seems to give a
positive answer back to sendmail, but according to sendmail logs it doesn't
seem to like to talk to the designated MX.
Log:
| Nov 3 10:34:09 frontend3 sendmail[1199706]: ruleset=tls_server, arg1=FAIL, relay=aspmx.l.google.com, reject=403 4.7.0 authentication failed
| Nov 3 10:34:09 frontend3 sendmail[1199706]: ruleset=tls_server, arg1=FAIL, relay=alt1.aspmx.l.google.com, reject=403 4.7.0 authentication failed
| Nov 3 10:34:10 frontend3 sendmail[1199706]: ruleset=tls_server, arg1=FAIL, relay=alt2.aspmx.l.google.com, reject=403 4.7.0 authentication failed
| Nov 3 10:34:12 frontend3 sendmail[1199706]: ruleset=tls_server, arg1=FAIL, relay=alt4.aspmx.l.google.com, reject=403 4.7.0 authentication failed
| Nov 3 10:34:13 frontend3 sendmail[1199706]: ruleset=tls_server, arg1=FAIL, relay=alt3.aspmx.l.google.com, reject=403 4.7.0 authentication failed
| Nov 3 10:34:13 frontend3 sendmail[1199706]: 3A39STIU1196890: to=<XX...@derago.com>, delay=00:05:44, xdelay=00:00:04, mailer=esmtp, pri=321206, relay=alt3.aspmx.l.google.com. [IPv6:2a00:1450:4010:c1c:0:0:0:1a], dsn=4.7.0, stat=Deferred: 403 4.7.0 authentication failed
tcpdump an port 5461 and using "strings" to get something readable:
{...}
| 14:sts derago.com,
| 4TI@
| 150:OK secure match=alt4.aspmx.l.google.com:alt1.aspmx.l.google.com:aspmx.l.google.com:alt2.aspmx.l.google.com:alt3.aspmx.l.google.com servername=hostname,
| 14:sts derago.com,
A manual mta-sts query seems to match the MX:
| # mta-sts-query derago.com
| (<STSFetchResult.VALID: 1>, ('20201030143700', {'mx': ['alt1.aspmx.l.google.com', 'alt3.aspmx.l.google.com', 'alt4.aspmx.l.google.com', 'alt2.aspmx.l.google.com', 'aspmx.l.google.com'], 'version': 'STSv1', 'mode': 'enforce', 'max_age': 604800}))
Anybody using MTA-STS successfully and maybe got a hint for me?
I just gave it a go using mta-sts-resolver 1.4.0 and sendmail:
| Version 8.17.2
| Compiled with: DANE DNSMAP IPV6_FULL LOG MAP_REGEX MATCHGECOS MILTER
| MIME7TO8 MIME8TO7 NAMED_BIND NETINET NETINET6 NETUNIX NEWDB=5.3
| PIPELINING SASLv2 SCANF SOCKETMAP STARTTLS TLS_VRFY_PER_CTX
| USERDB XDEBUG
sendmail is compiled with _FFR_MTA_STS and FEATURE(`sts') has been added.
According to tcpdump I can see that sendmail is successfully talking to
the mta-sts-resolver via port 5461 and the resolver seems to give a
positive answer back to sendmail, but according to sendmail logs it doesn't
seem to like to talk to the designated MX.
Log:
| Nov 3 10:34:09 frontend3 sendmail[1199706]: ruleset=tls_server, arg1=FAIL, relay=aspmx.l.google.com, reject=403 4.7.0 authentication failed
| Nov 3 10:34:09 frontend3 sendmail[1199706]: ruleset=tls_server, arg1=FAIL, relay=alt1.aspmx.l.google.com, reject=403 4.7.0 authentication failed
| Nov 3 10:34:10 frontend3 sendmail[1199706]: ruleset=tls_server, arg1=FAIL, relay=alt2.aspmx.l.google.com, reject=403 4.7.0 authentication failed
| Nov 3 10:34:12 frontend3 sendmail[1199706]: ruleset=tls_server, arg1=FAIL, relay=alt4.aspmx.l.google.com, reject=403 4.7.0 authentication failed
| Nov 3 10:34:13 frontend3 sendmail[1199706]: ruleset=tls_server, arg1=FAIL, relay=alt3.aspmx.l.google.com, reject=403 4.7.0 authentication failed
| Nov 3 10:34:13 frontend3 sendmail[1199706]: 3A39STIU1196890: to=<XX...@derago.com>, delay=00:05:44, xdelay=00:00:04, mailer=esmtp, pri=321206, relay=alt3.aspmx.l.google.com. [IPv6:2a00:1450:4010:c1c:0:0:0:1a], dsn=4.7.0, stat=Deferred: 403 4.7.0 authentication failed
tcpdump an port 5461 and using "strings" to get something readable:
{...}
| 14:sts derago.com,
| 4TI@
| 150:OK secure match=alt4.aspmx.l.google.com:alt1.aspmx.l.google.com:aspmx.l.google.com:alt2.aspmx.l.google.com:alt3.aspmx.l.google.com servername=hostname,
| 14:sts derago.com,
A manual mta-sts query seems to match the MX:
| # mta-sts-query derago.com
| (<STSFetchResult.VALID: 1>, ('20201030143700', {'mx': ['alt1.aspmx.l.google.com', 'alt3.aspmx.l.google.com', 'alt4.aspmx.l.google.com', 'alt2.aspmx.l.google.com', 'aspmx.l.google.com'], 'version': 'STSv1', 'mode': 'enforce', 'max_age': 604800}))
Anybody using MTA-STS successfully and maybe got a hint for me?
Andreas S. Kerber
Nov 3, 2023, 11:18:12 AM11/3/23
to
nevermind. I used a wrong "CACertFile". verification and delivery with
MTA-STS works fine now.
Nov 3 16:14:42 frontend3 sendmail[1336470]: STARTTLS=client, relay=aspmx.l.google.com., version=TLSv1.3, verify=OK, cipher=TLS_AES_256_GCM_SHA384, bits=256/256
MTA-STS works fine now.
Nov 3 16:14:42 frontend3 sendmail[1336470]: STARTTLS=client, relay=aspmx.l.google.com., version=TLSv1.3, verify=OK, cipher=TLS_AES_256_GCM_SHA384, bits=256/256
0 new messages