Not to flame but...why bother?
At this point TLSA/DANE is enforced on mail coming from a number of the Big Players, and most open
source mail stacks by default (well, some you have to opt in to indicate your DNSSEC resolver is
behaving correctly).
AFAIK, the *only* shop that enforces the rube-goldberg machine that is MTA-STS that doesn't also
enforce TLSA/DANE is Google. And skipping it avoids the pain of setting up a number of steps and,
for some reason, introducing an HTTP server into your mail-receiving stack?!
Matt
On 4/26/22 12:31 PM, Jesse Hathaway via mailop wrote:
Hello mailopers,
I am trying to setup MTA-STS for my domain, I thought I had everything
configured correctly,
in testing mode, but I never receive any reports via TLSRPT. If anyone
has any advice
on how to troubleshoot, that would be greatly appreciated. Yours
kindly, Jesse Hathaway
My current config
$ dig +short txt _mta-sts.mbuki-mvuki.org
"v=STSv1; id=20220404T193755Z;"
$ curl https://mta-sts.mbuki-mvuki.org/.well-known/mta-sts.txt
version: STSv1
mode: testing
mx: aspmx.l.google.com
mx: *.aspmx.l.google.com
max_age: 86400
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop