The DANE survey (https://stat.dnssec-tools.org) turns up a few domains
a day that botch their cert rollovers or fail to offer STARTTLS despite
publishing DANE TLSA records.
I try to send notices to the relevant contacts, but sometimes they
shoot themselves in the foot:
- Private WHOIS
- No contact data at the website
- Published contacts don't work (no such user, ...).
- Reject earnest notices of technical problems as spam
Yesterday, for the first time, I ran into someone whose MTA stopped
offering STARTTLS, despite the TLSA records still being in place, but
attempts to deliver a notice are rejected:
posttls-finger: < 220-mail.<censored>.dk ESMTP Postcow
... brief pause...
posttls-finger: < 220 mail.<censored>.dk ESMTP Postcow
posttls-finger: > EHLO <...>
posttls-finger: < 250-mail.<censored>.dk
posttls-finger: < 250-PIPELINING
posttls-finger: < 250-SIZE 104857600
posttls-finger: < 250-ETRN
posttls-finger: < 250-AUTH PLAIN LOGIN CRAM-MD5
posttls-finger: < 250-AUTH=PLAIN LOGIN CRAM-MD5
posttls-finger: < 250-ENHANCEDSTATUSCODES
posttls-finger: < 250-8BITMIME
posttls-finger: < 250-DSN
posttls-finger: < 250 CHUNKING
posttls-finger: > QUIT
posttls-finger: < 221 2.0.0 Bye
The notice bounced with:
550 5.7.1 Session encryption is required (in reply to RCPT TO command)
As commendable as it may be to encourage use of TLS, it is not a good
practice to outright refuse cleartext mail.
--
Viktor.
