We're certifying ONC 170.315(h)(1) as a self-hosted receiving HISP. Inbound Direct messages are received, decrypted, and ingested correctly, and we return RFC 3798 MDNs. The MDNs are properly wrapped (message/rfc822), S/MIME signed, and encrypted to ETT's certificate, sent back to the message's mail-from, with Original-Message-ID matching the inbound message exactly. ETT receives them (external delivery confirmed), but the messages stay WAITING and never flip to MDN-Received - which points to ETT being unable to verify our signature because our trust anchor is not loaded on the ETT side.
Direct address:
dir...@vallum.spheretechnology.comExample: inbound message <546911423.314.1781901289976@localhost> from
ccd...@ett.healthit.gov - we returned Processed + Dispatched MDNs that are not registering.
Our certificate (attached, PEM): self-signed CA, RSA-2048, SHA-256, with SKI and AKI present (SKI 6B:2F:F1:F4:B3:67:53:6E:A2:8B:DA:25:20:B9:86:C2:2B:AE:70:91), email SAN
dir...@vallum.spheretechnology.com, valid to 2027-07-21. It is also published as a DNS CERT record at
direct.vallum.spheretechnology.com (address-bound) and
vallum.spheretechnology.com (domain-bound).
Could you please (1) load our trust anchor on the ETT side, and (2) check your logs for the reason our MDNs are not being accepted? Happy to provide anything else you need.
Thank you.