Please drop TLSA records matching retired Let's Encrypt CAs
The DANE survey continues to observe a "long tail" of MX hosts with TLSA records that match the retired "X3" and/or "X4" Let's Encrypt issuer Cas.
If you're publishing TLSA records with Let's Encrypt issuer CA hashes, the "X3" and "X4" CAs should no longer appear in your TLSA RRset. Also be sure to use "2 1 1" and not "2 0 1" or "2 0 2" TLSA parameters. For details see:
http://dnssec-stats.ant.isi.edu/~viktor/x3hosts.html
The MX host counts for the various LE CAs are:
# | CA ------+---- 538 | X3 248 | X4 1133 | R3 436 | R4 483 | E1 396 | E2
* The counts for X3 and X4 should by now be 0. * Every MX host that publishes R3 should also publish R4. * Every MX host publishing E1 should also publish E2. * The simplest strategy is to publish all four of R3,R4,E1 and E2
On 2021-09-30 17:30, Viktor Dukhovni wrote:
The DANE survey continues to observe a "long tail" of MX hosts with TLSA records that match the retired "X3" and/or "X4" Let's Encrypt issuer Cas.
X-Spamd-Bar: / Authentication-Results: mail.sys4.de; none X-Rspamd-Server: echo X-Rspamd-Queue-Id: 4HKxyj0s1fz1fv9 X-Spamd-Result: default: False [0.00 / 6.00]; TAGGED_RCPT(0.00)[dane-users,lists,dane-sys4,ml.dane-users] X-Spam: Yes
why would it not be removed that header when recipient is not local ? :)
hope rspamd developpers can fix this
On 30-9-21 17:49, Benny Pedersen wrote:
On 2021-09-30 17:30, Viktor Dukhovni wrote:
The DANE survey continues to observe a "long tail" of MX hosts with TLSA records that match the retired "X3" and/or "X4" Let's Encrypt issuer Cas.
X-Spamd-Bar: / Authentication-Results: mail.sys4.de; none X-Rspamd-Server: echo X-Rspamd-Queue-Id: 4HKxyj0s1fz1fv9 X-Spamd-Result: default: False [0.00 / 6.00]; TAGGED_RCPT(0.00)[dane-users,lists,dane-sys4,ml.dane-users]
These headers are in my copy of Victor's message too, but are either standard or shouldn't make a difference.
X-Spam: Yes
Not in the message I saw. I'm guessing your anti-spam solution inserted that one itself.
why would it not be removed that header when recipient is not local ? :)
Maybe Rspamd is in front of the mailinglist? It shouldn't matter to you.
On 2021-09-30 20:20, Jan-Pieter Cornet wrote:
Maybe Rspamd is in front of the mailinglist? It shouldn't matter to you.
hope its solved on mondays
X-Spam-Status: No, score=-0.9 required=5.0 tests=CLEAR_TEXT_SASL_AUTH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,NICE_REPLY_A, SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no X-Spam-Level: X-Spam-Checker-Version: SpamAssassin 3.4.5 (2021-03-20) on localhost.junc.eu X-Spam-Relay-Country: NL ** X-Spam-Uri-Domains-Ham: xs4all.net xs4all.nl X-Spam-ASN: AS3265 2001:888::/32 2001:888::/29 2001:888::/30 X-Fuglu-Incomingport: 10025 X-Fuglu-Suspect: ff686095d81742b9977e70b6b8c76614
as you see i dont use rspamd
participants (3)
-
Benny Pedersen -
Jan-Pieter Cornet -
Viktor Dukhovni