Re: [Uta] Scanresults mta-sts policies

Mon, 01 Oct 2018 03:48:52 -0700 

Hi Hanno,

Thank you for sending your scanresults!

On 30/09/2018 19:11, Hanno Böck wrote:

Hi,

I did now some more scans for MTA-STS and I thought it might be
interesting for the list to learn the results.

A very effective way of finding hosts that support mta-sts is to scrape
the Certificate Transparency logs. (With the exception of hosts that
use wildcard certificates.)

This gave me 697 hosts with an mta-sts subdomain. Of those 416 served
something that looked like an mta-sts policy file, indicating that a
large number (281) are either in the process of deploying MTA-STS and
haven't finished yet or have wrongly implemented it, e.g. by using the
wrong filename/path.

I found a few syntax issues:
* The most worrying one is that 24 hosts use policies like
   "mx: .example.org" which was valid in older drafts. I say this is the
   most worrying, because it may actually lead to delivery failures.
   It'd be good to get them converted quickly before this creates
   hassle. However only 4 of them have "mode: enforce" (with "mode:
   testing" I'm not overly worried).
* 11 hosts use "mode: report", which is also from earlier drafts and
   should be "mode: testing". However a number of hosts have already been
   fixed before I made this scan.
* Some have trailing or leading spaces. It's not entirely clear to me
   if this is something to be considered an invalid policy.
Trailing spaces are allowed and ignored. Leading spaces are not allowed. This is basically the same as for email header fields 
* I also wonder about line endings. 263 use Unix line endings (LF
   only), 154 use Windows line endings (CRLF). The RFC reads like CRLF
   is correct (3.2), which would indicate a large number of bad policies.
   However the formal definition in the RFC also lists <LF>. I am not
   familiar with how to read the formal definition. (It also says
   something about spaces.)


As Viktor already replied, both LF and CRLF are allowed.


Best Regards,

Alexey


I'd appreciate if someone could clarify whether leading/trailing spaces
and unix line breaks should be considered policies that should be
fixed or if this is okay.


Some stats about modes:
211 mode: enforce
194 mode: testing
11 mode: report (invalid)
no mode: none found.


_______________________________________________
Uta mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/uta

Reply via email to