Hi Victor, >> Gmx and web.de do support SMTP-DANE (with bugs) >Can you provide a bit more detail on the outbound problems with gmx.de/web.de? Negation missing in your wording: United Internet never delivers to a server that has a certificate valid via TLSA record only but cannot be validated to a standard root certificate. That behaviour would be OK (my understanding) when also implementing MTA-STS, but afai can tell, they don´t. I sent them a mail via their DPO, but never got a reply. Regards, Joachim
-----Ursprüngliche Nachricht----- Von: Viktor Dukhovni via Postfix-users <[email protected]> Gesendet: Mittwoch, 26. Juni 2024 14:11 An: [email protected] Betreff: [pfx] Re: DANE and STS On Wed, Jun 26, 2024 at 01:35:30PM +0200, Joachim Lindenberg via Postfix-users wrote: > I have done some testing via my own tool and published results on > https://blog.lindenberg.one/EmailSecurityTest. > > Gmx and web.de do support SMTP-DANE (with bugs) Can you provide a bit more detail on the outbound problems with gmx.de/web.de? It appears you report that they "fail" when the server certificate chain does chain up to a trusted CA. Is that also the case for other STARTTLS servers, even without DANE? Or does their DANE implementation "raise the bar" on WebPKI conformance? Has anyone tried to open a bug report with these providers? -- Viktor. _______________________________________________ Postfix-users mailing list -- [email protected] To unsubscribe send an email to [email protected] _______________________________________________ Postfix-users mailing list -- [email protected] To unsubscribe send an email to [email protected]
