Re: [ietf-smtp] Validating MTA-STS setup, by writing to improperly configured MTA-STS sites
"Brotman, Alex" <Alex_Brotman@comcast.com> Mon, 10 January 2022 19:52 UTC
Return-Path: <Alex_Brotman@comcast.com>
X-Original-To: ietf-smtp@ietfa.amsl.com
Delivered-To: ietf-smtp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 830653A1041 for <ietf-smtp@ietfa.amsl.com>; Mon, 10 Jan 2022 11:52:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.1
X-Spam-Level:
X-Spam-Status: No, score=-0.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, PDS_OTHER_BAD_TLD=1.999, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=comcast.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IPRYAfosna-1 for <ietf-smtp@ietfa.amsl.com>; Mon, 10 Jan 2022 11:52:33 -0800 (PST)
Received: from mx0a-00143702.pphosted.com (mx0a-00143702.pphosted.com [148.163.145.77]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2E1163A103D for <ietf-smtp@ietf.org>; Mon, 10 Jan 2022 11:52:33 -0800 (PST)
Received: from pps.filterd (m0156891.ppops.net [127.0.0.1]) by mx0a-00143702.pphosted.com (8.16.1.2/8.16.1.2) with ESMTP id 20AJ6fh6020248; Mon, 10 Jan 2022 14:50:23 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=comcast.com; h=from : to : subject : date : message-id : references : in-reply-to : content-type : content-transfer-encoding : mime-version; s=20190412; bh=tLIA3UQmu2NO3jHHgDZhL7bKz5PRWLrFwkMTEuw30NI=; b=tAz00NFEJgSrDk6jWbshSU5KEDI4R9vclTR9Bh5PFEVIdezBjyXIYsUIxljjqmzbsU3P MILTPvmVwjZa6qV0/BeOHm4n+Famwsv8UabrdZIzzE914Wt8jyVFFPkTZdymz4CLBrrY zRSP6S4L1fCLh4K4mLDs3+CUMhWlSP2YfgiUtyLE3SaH1Ba1ITG/78RK8gEH/Xmftrya GCdyKQPJeGhSktUCXuLZmmDT9W0sQO1h86ijE1R4vSyvwstU8I1dJwtGdfcyMldH3s9C wQuejT+7buoQ1/LeB7XJdRMYNXjf0lAeM9ixAvHDGgLjleYC/h0BztXefv1nLWdTvfgp gg==
Received: from copdcexc38.cable.comcast.com (dlppfpt-po-1p.slb.comcast.com [96.99.226.137]) by mx0a-00143702.pphosted.com (PPS) with ESMTPS id 3dgpc0je17-22 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Mon, 10 Jan 2022 14:50:22 -0500
Received: from COPDCEXOP01.cable.comcast.com (147.191.124.156) by COPDCEXC38.cable.comcast.com (147.191.125.137) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.2308.20; Mon, 10 Jan 2022 12:50:20 -0700
Received: from COPDCEXEDGE01.cable.comcast.com (96.114.158.213) by COPDCEXOP01.cable.comcast.com (147.191.124.156) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.2.986.14 via Frontend Transport; Mon, 10 Jan 2022 11:50:20 -0800
Received: from NAM10-BN7-obe.outbound.protection.outlook.com (104.47.70.105) by webmail.comcast.com (96.114.158.213) with Microsoft SMTP Server (TLS) id 15.0.1497.26; Mon, 10 Jan 2022 12:50:11 -0700
Received: from CH2PR11MB4342.namprd11.prod.outlook.com (2603:10b6:610:3b::19) by CH0PR11MB5537.namprd11.prod.outlook.com (2603:10b6:610:d4::9) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4867.9; Mon, 10 Jan 2022 19:50:06 +0000
Received: from CH2PR11MB4342.namprd11.prod.outlook.com ([fe80::c75:7820:3b4e:849b]) by CH2PR11MB4342.namprd11.prod.outlook.com ([fe80::c75:7820:3b4e:849b%5]) with mapi id 15.20.4867.012; Mon, 10 Jan 2022 19:50:06 +0000
From: "Brotman, Alex" <Alex_Brotman@comcast.com>
To: Дилян Палаузов <dilyan.palauzov@aegee.org>, "ietf-smtp@ietf.org" <ietf-smtp@ietf.org>
Thread-Topic: [ietf-smtp] Validating MTA-STS setup, by writing to improperly configured MTA-STS sites
Thread-Index: AQHYBkKLd2s42+VJykOEGo4zVRiYnaxcqRCQ
Date: Mon, 10 Jan 2022 19:50:06 +0000
Message-ID: <CH2PR11MB4342190E4B27AF5DD2027943F7509@CH2PR11MB4342.namprd11.prod.outlook.com>
References: <df64ba019908a2335d4481aaad70ed0bbe9ac322.camel@aegee.org>
In-Reply-To: <df64ba019908a2335d4481aaad70ed0bbe9ac322.camel@aegee.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 1557166c-3475-4d5c-c1fc-08d9d47266c7
x-ms-traffictypediagnostic: CH0PR11MB5537:EE_
x-microsoft-antispam-prvs: <CH0PR11MB5537555BC933F5B38F00CF67F7509@CH0PR11MB5537.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:8882;
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: rRQ0Ll0z3ct71RGkxZeqZjqIAJhMMRVeMXwOYB+ywMSBH4DuByF4BA3VeU+B+r3zXyrDnsnQhMz1GsTDFE+jvqHOKZltYjG1CZmvFDDcHcpZ0e5T2jlY/IsqiBuVkMFmp+TkAdrIFgQc1cj7+6TfG+XnknLpZujHOy4W9bdNrMitCO56O5kZ8323bxiJuFFSYLG0UcLOVg+tFzRtly78+Q0nN8mYLR4hv6SYvc01znM6T3Kn/vOYC7VABvjxEifc38TorHtDwQrKo+po1K/hUDDUyuvIXCiZ1GyGompnJjexw6PXg0tBCvarmgnj5TL3OK86Ijx78o7td8iKCjmFGj5gstX47dLpOb4xr2etER+g0bOolr6hsbRDZajd12KxPA6KAmoeMfQYeEcUvCh7fgj0Nxdr7SDH3W26hP+42ZqvY9nulfl4y/DV0Z8Vxr3n4ACDFP87diMYlPxLDbHKULTmnmjiV+cKGxl77Q3JbtkH3KAi25DjNbD4V3qJ1jgRiG4EREkCMzEmH3Obhi9W8nVSG7KNyKUggguQ3Ex/7Kn7qNDhbUjOzlygkliaB6egiUPygZkS+3TsCLwbEC/5TWeMMHJGe21aOHosJlixbgaEjDFBQZwCiYdHLQCgZkm8vmcSx55CJIjE6QtMdU1FmONgQCNx++RekmsHl+CK7mm0nFxOP3tNrLl7/1/uBnnfZFHVwU8lrBLLfmWzXYaqbQbGdrnNJcsUDw861vOJ6rq3O6xFjZfx65saYSZTRWRftHO3VqOxMbYSRVULdy0LQu0vIr09IPIRuB05V9lZixM=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:CH2PR11MB4342.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(366004)(508600001)(19627235002)(53546011)(5660300002)(110136005)(6506007)(2906002)(83380400001)(71200400001)(316002)(7696005)(86362001)(66556008)(66476007)(82960400001)(66946007)(66446008)(64756008)(186003)(38070700005)(9686003)(76116006)(33656002)(55016003)(8936002)(122000001)(8676002)(52536014)(38100700002)(966005); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: RjibMOBlN8vKicUeaoY3AOmI2KUEiuRpRe4Rz3nQITLdqhVqrxI8dUvrJllNVCrjYP816LncSWvI9yLAsoGtTH6Jv7lHySCW0uvXxyhZ6kJ7CIPVZJ20rKIfQvCYilY0M+Jlw5zToiuf97wOuvVCGnZ3+bvx3zZNg05g3ztbWszEoTiW0rrToHLfvnsH3U7NXGTknkFriZBQy0/9WyGuDmkrxWknTJ1FNpc6KRn0q9cTxTRWpTrwUS86Momi14TAm6mbu9u0IV12CEfT8jGYsawT47ouTS+lIoJL7eybLvyXvDOLBL/HjJNMcc+X9rz8ntB5DVCfp2Jd0iSSKT9kCkmk/R4SD0znccYR5985U3yLBBrK5hIswLKQRAxC2iMVStO/TRZiIqRDfgCfP6DWSin/S38zw+wV98Vx2VFi0z4chgAiGSidMAU89du4Ugs8ZpyeA4AzurWQTLeP16rIC6f08ZTFunXnfStOPdjX/XMQF+4691JQbeXtgEgpuOCwm+x2tBozRJjhmbrMUvIP5qryhqQDC5hOt3tctk5hagDVM3W7Gajb9cXgv4V3+d6oMRazB1QEFPzCdP6M+zIA+lkPxi4F4douQdHj9WEMOGtFijEq+c76kRt7PhfT45SWVoz9t8yr5cjFCZknRqZuptNxgr4vQ/Ukf8BsVIGLHWj/IIL4AFdzVnhAGtlGGhMqYVVivNLnFrn8NiAUUoxLpuSMR5z0GjHk61Ch723vccW69WSsck/AcntAnlhJBU+hI8gm9/yC4NHk5mrC/oBNA1+0mRn+eiW69yoAd9/E7VZ93rmW/KKqHdKrGmHCL8YSXsfts8nrO1NjQPxv/OGwDvjhtFx4XMxQq1ymWY86bKcBwwwD61+G+fSC84zjfGeSGmxadtE++CyhMasCFROISkNZrhvBZNbEH8qKABW+pztvSBgS3hAyrGMAISv7S26WzAltF3w2c9Z7frAwUlOe0ndeFa5Y6tlqelVsccDfz3eERXkpDrI6fsGwZtT27BHO3YNOpPnFCpPZs7ZLDL+ODiKjaTKU4bb/YbB/D7Xtljwn2rYg7O3McgDoNo8cgZoOi/8T4Y38fuYnlupdH8eB+h+HN5URw9NLe0u8ASOl2GOBBncjGG8h17jtYuL1BIzoesyeTXkJBjzHdWgcNdipfW+OeODlukCkxzA71kT+jWrd71ZNfDA9eE2EZ67F9oQhnZCttIjy2Qq0qjk2pClr6Pz/kOxvQeMSqSM2PxCcRnwEKel7zxnh3lsvdxS+1uFZRrrV1HAjCA4b/lfuiNlYFRAfmIHnSJgh0qeCy5Vu7bw1/zR2ygJPO2tHjbgdchBgG9ouqSYzZQy4il7nwLYhkLQxKyLOg1XyKMSKuyCxRM6dL/uYbRT7GEavtBtOiREbaXartVQKiAcy+b8Jho5wyDfQvzZGQ+AQga17d7iaO/y/9SmofteTjui3Z/AGSvf8HIBUvt6B3beIZDZoxsGSr1PF57AOvVGocw+y1OEtd6YFyCPHSTiW7ykFBI3uMMOYbaU0Tt2DJNU0qT17jT7aIlGIVlvTY9LhGSh12gBJa90dpPKrRuYdjzh+6ZheIi4UMKyj2TTmT/kisznO83tNmZ9FLXzofag/gQ+hNArTjBR4CLgrd+lT9ScbO5re/Lxa/MCXWBdKEooO2AZUxbASpJEd5Js6YOxvmv49GfxhWnmw8dqnIhvia9Gqdto0YI/0naKkdEIFK8pj3mJ1XUQuiw==
arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Ku56M0DGq1foOGi9g/YRMOKjuh/Vsi/bf7/UUp0+W60uS3y99Yv5w18I+OguAnQeDIKuVT/p0110vTFN1YHxKDj2pLh0SJXhwg3IGmBhHnXK16pfS+KQHPRJUVeAdq3KS3yrucik26Ach+KOvjty0T8XGwtEUs16bW7G7MZ6EdS4HH7VV8A/rCpoDVC1usoVILFmFDWT14yOaTG1/94+wO8G/I72ChaFxU0njYdHa7Sv7i7qGWAfKAW5vYLl7rU00ZdRPJ3oqOvJEE96oS0e6Z7qq0ETwEIycI3nJMqLYvWIGfFM57Qr2AGJhory0DtrLlJIOYMwVnZTmPpbbWuSJg==
arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=lcWk3HcW+MhZTEJch2wZ1iCHGOIVKAKFi3mbKlqSV4U=; b=EpkFnXJ4t509MG92FMMPAWI095h7OGTJ6L1N6qzcMU5XC8VhufG8wQFmT79njAfAENfzv/AcOC8QbaihFkocFU/uDI9v4beC+bQT2xc/xVhJ59VGgXjQB5yan0FJ/tV1f0/zsZ65QlWdk707UuAGQJg9bkuQ3hUEg0blhY/8Gt/rqonMDnP3Lutb57Tmd8Y+rlGh64b7q8PZg4jdcq08nZ+sfvZCPl9kElLuDUFl5Xx9OBo1m+aj4YDhlCvxtdSfxgCtT8vyS96Pw+6OCK1otjzVXS4FkIgGKlmKUUZlmWEb3M4ctxshZnPHg3KX7ne92wh4TlUioZwBIwysh+MUNQ==
arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=comcast.com; dmarc=pass action=none header.from=comcast.com; dkim=pass header.d=comcast.com; arc=none
x-ms-exchange-crosstenant-authas: Internal
x-ms-exchange-crosstenant-authsource: CH2PR11MB4342.namprd11.prod.outlook.com
x-ms-exchange-crosstenant-network-message-id: 1557166c-3475-4d5c-c1fc-08d9d47266c7
x-ms-exchange-crosstenant-originalarrivaltime: 10 Jan 2022 19:50:06.4582 (UTC)
x-ms-exchange-crosstenant-fromentityheader: Hosted
x-ms-exchange-crosstenant-id: 906aefe9-76a7-4f65-b82d-5ec20775d5aa
x-ms-exchange-crosstenant-mailboxtype: HOSTED
x-ms-exchange-crosstenant-userprincipalname: uwUY5FwnaGY6Dvsp7o+55OXO78EK5HPUHOKdeMdka+ZcIElQ1NFMIm0C0MIvpdmqIOARAqdi/C4eyN9AFt3HphNSPGB/zKbcXkh/ZX+Wmsw=
x-ms-exchange-transport-crosstenantheadersstamped: CH0PR11MB5537
x-originatororg: comcast.com
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-CFilter-Loop: Forward AAETWO
X-Proofpoint-GUID: OrMqke_RWCK3vRkZMe8MpzUoKdiZR6Pj
X-Proofpoint-ORIG-GUID: OrMqke_RWCK3vRkZMe8MpzUoKdiZR6Pj
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.790,Hydra:6.0.425,FMLib:17.11.62.513 definitions=2022-01-10_09,2022-01-10_02,2021-12-02_01
X-Proofpoint-Spam-Reason: safe
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf-smtp/0TC-LxacCT-zWZZ5A6a3gW1QZXU>
Subject: Re: [ietf-smtp] Validating MTA-STS setup, by writing to improperly configured MTA-STS sites
X-BeenThere: ietf-smtp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Discussion of issues related to Simple Mail Transfer Protocol \(SMTP\) \[RFC 821, RFC 2821, RFC 5321\]" <ietf-smtp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf-smtp>, <mailto:ietf-smtp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf-smtp/>
List-Post: <mailto:ietf-smtp@ietf.org>
List-Help: <mailto:ietf-smtp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf-smtp>, <mailto:ietf-smtp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 10 Jan 2022 19:52:38 -0000
Could you simulate this by having your outbound not attempt STARTTLS (perhaps just to a specific host)? If your MTA code understands the difference between not-offered and not-attempted, that wouldn't work. Just a thought. -- Alex Brotman Sr. Engineer, Anti-Abuse & Messaging Policy Comcast > -----Original Message----- > From: ietf-smtp <ietf-smtp-bounces@ietf.org> On Behalf Of ????? ???????? > Sent: Monday, January 10, 2022 11:53 AM > To: ietf-smtp@ietf.org > Subject: [ietf-smtp] Validating MTA-STS setup, by writing to improperly > configured MTA-STS sites > > Hello, > > I want to validate, that outgoing MTA-STS does work correctly. I want to > send an email to a site, which has broken MTA-STS, and see what happens. > > Can somebody name a sample site, which (on purpose, for testing purposes, > unintentionally for the moment) announces MTA-STS, but does not offer > STARTTLS? > > I found only > https://urldefense.com/v3/__https://mtasts.xyz/__;!!CQl3mcHX2A!TTR4o6 > 1qatE9S6m9-9E3V266j07tny3GsF_Gb-Cme7r- > bqM2EnnrsBWVuvBYC0D3pGbE_raAtg$ trying to perform outbound tests, > but its MTA-STA setup is too broken - the certificates are outdated and the > HTTP-policy is thus ignored. > > Greetings > Дилян > > _______________________________________________ > ietf-smtp mailing list > ietf-smtp@ietf.org > https://urldefense.com/v3/__https://www.ietf.org/mailman/listinfo/ietf- > smtp__;!!CQl3mcHX2A!TTR4o61qatE9S6m9-9E3V266j07tny3GsF_Gb-Cme7r- > bqM2EnnrsBWVuvBYC0D3pGYo8Sdz-Q$
- [ietf-smtp] Validating MTA-STS setup, by writing … Дилян Палаузов
- Re: [ietf-smtp] Validating MTA-STS setup, by writ… Brotman, Alex
- Re: [ietf-smtp] Validating MTA-STS setup, by writ… Daniel Margolis