On Sun, 17 Nov 2024, Viktor Dukhovni via mailop wrote:
On Sun, Nov 17, 2024 at 01:30:24AM +0100, Olga Fischer via mailop wrote:
Some of our domains receive TLS reports for connections their mx's
didn't make on behalf of any user of such a domain.
This makes no sense, because unlike DMARC reports which are sent by
receiving (server) systems, TLS reports are sent by sending (client)
systems to the domains whose MX hosts had trouble with TLS.
So when you receive a TLS report, it is never about mail your MX hosts
sent, rather it is about mail others tried to send to you.
Are such reports usually only sent for DMARC-aligned senders or even
for forged senders to the actual MX? As we get DMARC reports from the
same receivers, that show forged senders, I believe they are sent for
forged senders as well.
TLS reports (RFC 8460) have nothing to do with DMARC. If you publish
conformant _smtp._tls.<domain>. (MTA-STS) or _smtp._tls.<mxhost>. (DANE)
DNS records, you may get reports from *senders* about their issues with
establishing a (verified) TLS connection to your system.
I have _smtp._tls.aitchison.me.uk. DANE and nothing for my mxhost or
MTA_STS. Would that be why I receive (success) reports from GMail
and Stalwart Labs but no-one else ?
There is active work on TLSRPT support in Postfix, if this sees
non-trivial adoption, the volume of reports go up a bit.
Thanks. I'm thinking about adding these reports to/for Exim.
Is https://www.postfix.org/TLSRPT_README.html a good plce to start ?
Since much of the work is done daily, maybe it doesn't happen
in the MTA itself; is there is potential to share some parts ?
Thanks,
--
Andrew C. Aitchison Kendal, UK
and...@aitchison.me.uk
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
