Hi Viktor

Seeing that the domain ends in .dk - can you send me some uncensored details of the domain - then I can see if I have a contact, so I can reach out to the right entity?

Kind Regards, Sidsel Jensen

Architect of Deliverability and Abuse @ Open-Xchange

On 10/24/2023 7:33 PM CEST Viktor Dukhovni ietf-dane@dukhovni.org wrote:

The DANE survey (https://stat.dnssec-tools.org) turns up a few domains a day that botch their cert rollovers or fail to offer STARTTLS despite publishing DANE TLSA records.

I try to send notices to the relevant contacts, but sometimes they shoot themselves in the foot:

- Private WHOIS
- No contact data at the website
- Published contacts don't work (no such user, ...).
- Reject earnest notices of technical problems as spam

Yesterday, for the first time, I ran into someone whose MTA stopped offering STARTTLS, despite the TLSA records still being in place, but attempts to deliver a notice are rejected:

posttls-finger: < 220-mail.<censored>.dk ESMTP Postcow
... brief pause...
posttls-finger: < 220 mail.<censored>.dk ESMTP Postcow
posttls-finger: > EHLO <...>
posttls-finger: < 250-mail.<censored>.dk
posttls-finger: < 250-PIPELINING
posttls-finger: < 250-SIZE 104857600
posttls-finger: < 250-ETRN
posttls-finger: < 250-AUTH PLAIN LOGIN CRAM-MD5
posttls-finger: < 250-AUTH=PLAIN LOGIN CRAM-MD5
posttls-finger: < 250-ENHANCEDSTATUSCODES
posttls-finger: < 250-8BITMIME
posttls-finger: < 250-DSN
posttls-finger: < 250 CHUNKING
posttls-finger: > QUIT
posttls-finger: < 221 2.0.0 Bye

The notice bounced with:

550 5.7.1 Session encryption is required (in reply to RCPT TO command)

As commendable as it may be to encourage use of TLS, it is not a good practice to outright refuse cleartext mail.

-- Viktor.