Hi Victor, >> Gmx and web.de do support SMTP-DANE (with bugs) >Can you provide a bit more detail on the outbound problems with gmx.de/web.de? Negation missing in your wording: United Internet never delivers to a server that has a certificate valid via TLSA record only but cannot be validated to a standard root certificate. That behaviour would be OK (my understanding) when also implementing MTA-STS, but afai can tell, they don´t. I sent them a mail via their DPO, but never got a reply. Regards, Joachim
-----Ursprüngliche Nachricht----- Von: Viktor Dukhovni via Postfix-users <postfix-users@postfix.org> Gesendet: Mittwoch, 26. Juni 2024 14:11 An: postfix-users@postfix.org Betreff: [pfx] Re: DANE and STS On Wed, Jun 26, 2024 at 01:35:30PM +0200, Joachim Lindenberg via Postfix-users wrote: > I have done some testing via my own tool and published results on > https://blog.lindenberg.one/EmailSecurityTest. > > Gmx and web.de do support SMTP-DANE (with bugs) Can you provide a bit more detail on the outbound problems with gmx.de/web.de? It appears you report that they "fail" when the server certificate chain does chain up to a trusted CA. Is that also the case for other STARTTLS servers, even without DANE? Or does their DANE implementation "raise the bar" on WebPKI conformance? Has anyone tried to open a bug report with these providers? -- Viktor. _______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org _______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
