On Sat, Jun 13, 2020 at 01:44:18PM -0400, Viktor Dukhovni wrote:
> ... the MTA-STS service MUST instead return one of:
>
> verify servername=hostname
> or
> secure servername=hostname match=hostname
I should have written:
secure servername=hostname
match=mx1.example
match=mx2.example
...
where the list of match values is per the MTA-STS policy. With
"match=hostname" you lose the MTA-STS out-of-band (i.e. HTTPS)
validation of the list of allowed MX hosts.
The explict list names is not strictly the same as MTA-STS, since it
will allow matching of "mx2" while trying to connect to (and logging
delivery via) "mx1", but should not be a concern, an MiTM can always
force connections to a given MX host by blocking access to the rest, and
can redirect TCP traffic, ... so the only effect is somewhat imprecise
logging.
--
Viktor.
