Hi, I did now some more scans for MTA-STS and I thought it might be interesting for the list to learn the results.
A very effective way of finding hosts that support mta-sts is to scrape the Certificate Transparency logs. (With the exception of hosts that use wildcard certificates.) This gave me 697 hosts with an mta-sts subdomain. Of those 416 served something that looked like an mta-sts policy file, indicating that a large number (281) are either in the process of deploying MTA-STS and haven't finished yet or have wrongly implemented it, e.g. by using the wrong filename/path. I found a few syntax issues: * The most worrying one is that 24 hosts use policies like "mx: .example.org" which was valid in older drafts. I say this is the most worrying, because it may actually lead to delivery failures. It'd be good to get them converted quickly before this creates hassle. However only 4 of them have "mode: enforce" (with "mode: testing" I'm not overly worried). * 11 hosts use "mode: report", which is also from earlier drafts and should be "mode: testing". However a number of hosts have already been fixed before I made this scan. * Some have trailing or leading spaces. It's not entirely clear to me if this is something to be considered an invalid policy. * I also wonder about line endings. 263 use Unix line endings (LF only), 154 use Windows line endings (CRLF). The RFC reads like CRLF is correct (3.2), which would indicate a large number of bad policies. However the formal definition in the RFC also lists <LF>. I am not familiar with how to read the formal definition. (It also says something about spaces.) I'd appreciate if someone could clarify whether leading/trailing spaces and unix line breaks should be considered policies that should be fixed or if this is okay. Some stats about modes: 211 mode: enforce 194 mode: testing 11 mode: report (invalid) no mode: none found. -- Hanno Böck https://hboeck.de/ mail/jabber: [email protected] GPG: FE73757FA60E4E21B937579FA5880072BBB51E42 _______________________________________________ Uta mailing list [email protected] https://www.ietf.org/mailman/listinfo/uta
