Hi Viktor Seeing that the domain ends in .dk - can you send me some uncensored details of the domain - then I can see if I have a contact, so I can reach out to the right entity?
Kind Regards, Sidsel Jensen Architect of Deliverability and Abuse @ Open-Xchange > On 10/24/2023 7:33 PM CEST Viktor Dukhovni <[email protected]> wrote: > > > The DANE survey (https://stat.dnssec-tools.org) turns up a few domains > a day that botch their cert rollovers or fail to offer STARTTLS despite > publishing DANE TLSA records. > > I try to send notices to the relevant contacts, but sometimes they > shoot themselves in the foot: > > - Private WHOIS > - No contact data at the website > - Published contacts don't work (no such user, ...). > - Reject earnest notices of technical problems as spam > > Yesterday, for the first time, I ran into someone whose MTA stopped > offering STARTTLS, despite the TLSA records still being in place, but > attempts to deliver a notice are rejected: > > posttls-finger: < 220-mail.<censored>.dk ESMTP Postcow > ... brief pause... > posttls-finger: < 220 mail.<censored>.dk ESMTP Postcow > posttls-finger: > EHLO <...> > posttls-finger: < 250-mail.<censored>.dk > posttls-finger: < 250-PIPELINING > posttls-finger: < 250-SIZE 104857600 > posttls-finger: < 250-ETRN > posttls-finger: < 250-AUTH PLAIN LOGIN CRAM-MD5 > posttls-finger: < 250-AUTH=PLAIN LOGIN CRAM-MD5 > posttls-finger: < 250-ENHANCEDSTATUSCODES > posttls-finger: < 250-8BITMIME > posttls-finger: < 250-DSN > posttls-finger: < 250 CHUNKING > posttls-finger: > QUIT > posttls-finger: < 221 2.0.0 Bye > > The notice bounced with: > > 550 5.7.1 Session encryption is required (in reply to RCPT TO command) > > As commendable as it may be to encourage use of TLS, it is not a good > practice to outright refuse cleartext mail. > > -- > Viktor.
