Path: ...!news.misty.com!.POSTED.veps.esmtp.org!not-for-mail
From: Claus =?iso-8859-1?Q?A=DFmann?= <INVALID_NO_CC_REMOVE_IF_YOU_DO_NOT_POST_ml+sendmail(-no-copies-please)@esmtp.org>
Newsgroups: comp.mail.sendmail
Subject: Re: Problem with FEATURE('sts'): bogus "not listed in SANs" rejects
Date: Tue, 29 Oct 2024 12:17:24 -0400 (EDT)
Organization: MGT Consulting
Sender: <ml+sendmail(-no-copies-please)@esmtp.org>
Message-ID: <vfr1qk$vd4$1@news.misty.com>
References: <87a5enl3x6.fsf@miraculix.mork.no> <87v7xbi6ok.fsf@miraculix.mork.no> <5b9c98ce0f90db6169017005e7ede7d5@www.novabbs.com> <87iktbi0oc.fsf@miraculix.mork.no>
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
Injection-Date: Tue, 29 Oct 2024 16:17:24 -0000 (UTC)
Injection-Info: news.misty.com; posting-host="veps.esmtp.org:155.138.203.148";
	logging-data="32164"; mail-complaints-to="abuse@misty.com"
Mail-Copies-To: never
X-Newsreader: trn 4.0-test77 (Sep 1, 2010)
Originator: ca@x2.esmtp.org (Claus Assmann)
Bytes: 2097
Lines: 30

Unfortunately this has not yet been released:
8.18.2/8.18.2	202x/xx/xx
	Fix matching of wildcard SANs in the experimental support
		for SMTP MTA Strict Transport Security (MTA-STS).
		Problem reported by Dilyan Palauzo.

Here's the current version of the ruleset:

dnl check SAN for STS
SSTS_SAN
ifdef(`_STS_SAN', `dnl
R$*			$: $&{server_name}
# {server_name} does not have a trailing dot
# R$+.			$1
dnl exact match
R$={cert_altnames}	$@ ok
# strip one level up to first dot  
R$~. . $+		.$2
dnl wildcard: *. not just .
R.$+			$: *.$1
R $={cert_altnames}	$@ ok
dnl always temporary error? make it an option (of the feature)?
R$*			$#error $@ 4.7.0 $: 450 $&{server_name} not listed in SANs', `dnl')



-- 
Note: please read the netiquette before posting. I will almost never
reply to top-postings which include a full copy of the previous
article(s) at the end because it's annoying, shows that the poster
is too lazy to trim his article, and it's wasting the time of all readers.