The DANE survey (https://stat.dnssec-tools.org) turns up a few domains a day that botch their cert rollovers or fail to offer STARTTLS despite publishing DANE TLSA records.
I try to send notices to the relevant contacts, but sometimes they shoot themselves in the foot:
- Private WHOIS - No contact data at the website - Published contacts don't work (no such user, ...). - Reject earnest notices of technical problems as spam
Yesterday, for the first time, I ran into someone whose MTA stopped offering STARTTLS, despite the TLSA records still being in place, but attempts to deliver a notice are rejected:
posttls-finger: < 220-mail.<censored>.dk ESMTP Postcow ... brief pause... posttls-finger: < 220 mail.<censored>.dk ESMTP Postcow posttls-finger: > EHLO <...> posttls-finger: < 250-mail.<censored>.dk posttls-finger: < 250-PIPELINING posttls-finger: < 250-SIZE 104857600 posttls-finger: < 250-ETRN posttls-finger: < 250-AUTH PLAIN LOGIN CRAM-MD5 posttls-finger: < 250-AUTH=PLAIN LOGIN CRAM-MD5 posttls-finger: < 250-ENHANCEDSTATUSCODES posttls-finger: < 250-8BITMIME posttls-finger: < 250-DSN posttls-finger: < 250 CHUNKING posttls-finger: > QUIT posttls-finger: < 221 2.0.0 Bye
The notice bounced with:
550 5.7.1 Session encryption is required (in reply to RCPT TO command)
As commendable as it may be to encourage use of TLS, it is not a good practice to outright refuse cleartext mail.