Path: ...!news.misty.com!.POSTED.veps.esmtp.org!not-for-mail From: Claus =?iso-8859-1?Q?A=DFmann?= Newsgroups: comp.mail.sendmail Subject: Re: Problem with FEATURE('sts'): bogus "not listed in SANs" rejects Date: Tue, 29 Oct 2024 12:17:24 -0400 (EDT) Organization: MGT Consulting Sender: Message-ID: References: <87a5enl3x6.fsf@miraculix.mork.no> <87v7xbi6ok.fsf@miraculix.mork.no> <5b9c98ce0f90db6169017005e7ede7d5@www.novabbs.com> <87iktbi0oc.fsf@miraculix.mork.no> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Injection-Date: Tue, 29 Oct 2024 16:17:24 -0000 (UTC) Injection-Info: news.misty.com; posting-host="veps.esmtp.org:155.138.203.148"; logging-data="32164"; mail-complaints-to="abuse@misty.com" Mail-Copies-To: never X-Newsreader: trn 4.0-test77 (Sep 1, 2010) Originator: ca@x2.esmtp.org (Claus Assmann) Bytes: 2097 Lines: 30 Unfortunately this has not yet been released: 8.18.2/8.18.2 202x/xx/xx Fix matching of wildcard SANs in the experimental support for SMTP MTA Strict Transport Security (MTA-STS). Problem reported by Dilyan Palauzo. Here's the current version of the ruleset: dnl check SAN for STS SSTS_SAN ifdef(`_STS_SAN', `dnl R$* $: $&{server_name} # {server_name} does not have a trailing dot # R$+. $1 dnl exact match R$={cert_altnames} $@ ok # strip one level up to first dot R$~. . $+ .$2 dnl wildcard: *. not just . R.$+ $: *.$1 R $={cert_altnames} $@ ok dnl always temporary error? make it an option (of the feature)? R$* $#error $@ 4.7.0 $: 450 $&{server_name} not listed in SANs', `dnl') -- Note: please read the netiquette before posting. I will almost never reply to top-postings which include a full copy of the previous article(s) at the end because it's annoying, shows that the poster is too lazy to trim his article, and it's wasting the time of all readers.