On Tue, Jan 08, 2019 at 03:59:30PM -0500, John R Levine wrote:
> I have about 80 domains pointed at my mail server. I control the DNS for
> all of them but I can't see any reasonable way to make MTA-STS work.
>
> I can set up the TXT records easily enough, but it looks like I need an
> HTTPS server with 80 names and 80 certficates, or one certificate with 80
> alt names. That doesn't scale very well.
>
> Adding to the excitement, every domain has its own name for the mail
> server, e.g., for foo.com the mail server name is mx1.foo.com, all
> pointing at the same IP address. (This is not unusual; Tucows hostedemail
> does the same thing with much longer names.) So I'll need 80 names on the
> mail server certificates, too.
>
> Am I missing anything here?
That's OK, you have working DANE, you mostly don't need MTA-STS.
MTA-STS is is aimed at receiving domains that face obstacles signing
their *own* domain. There's little excuse for not being able to
do DNSSEC validation, if a sending system is at all serious about
outbound SMTP security, it'll do both MTA-STS and DANE.
--
Viktor.
_______________________________________________
Uta mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/uta
