On Sat, 29 Sep 2018 20:13:20 +0200
"A. Schulze" <[email protected]> wrote:
> I consider implementing MTA-STS on our platform hosting thousand+
> Domains. Now I just found the following text:
>
> Note that in all such cases, the policy endpoint
> ("https://mta-sts.user.example/.well-known/mta-sts.txt"; in this
> example) must still present a certificate valid for the Policy Host
> ("mta-sts.user.example"), and not for that host at the provider's
> domain ("mta-sts.provider.example").
>
> Does that really mean I have to setup thousand+ virtual hosts
> https://mta-sts.domain1...1000.example? Or are there other strategies
> for hosting provider?
This seems to be the one thing that is confusing a lot of people about
MTA-STS. The answer is yes you have to, no, there are no other
strategies.
The policy host is the thing that ties your domain name's identity to
your policy. This makes sure you can only serve a policy for
user.example if you control and have a certificate for user.example.
If you could serve a policy for user.example on provider.example you'd
not have that connection.
There is of course a good solution for this: Automate your virtual host
and certificate creation.
--
Hanno Böck
https://hboeck.de/
mail/jabber: [email protected]
GPG: FE73757FA60E4E21B937579FA5880072BBB51E42
_______________________________________________
Uta mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/uta
