Better add "mta-sts" to the list of sub-domains you don't allow your users to register: https://tools.ietf.org/html/rfc8461#section-3.2 …
-
Show this thread
-
Replying to @__agwa
while that's an interesting idea, realistically... people will probably rarely have a domain with user-subdomains *and* run email on it.
1 reply 0 retweets 1 like -
thinking about it: this is almost irrelevant. if the host operator wants to use mta-sts they'll already have claimed the domain. if not they won't set the DNS record. So even if you control the subdomain your policy will never be read.
1 reply 0 retweets 1 like -
Replying to @hanno
I'm not saying that allowing this sub-domain to be registered automatically creates a security vulnerability. But it seems safer to blacklist it now to avoid potential headaches and bugs if you ever decide to deploy MTA-STS in the future.
1 reply 0 retweets 1 like -
Also, just because "mta-sts" has been provisioned by the operator doesn't necessarily mean a user can't usurp it. You could end up with two Apache virtual hosts - one provisioned manually by the operator for MTA-STS, the other created automatically by the user onboarding code.
1 reply 0 retweets 1 like
Which one gets used depends on the order in the config. I'm also reminded of .io being taken over because they let someone register the domains ns-a[1-4].io - the same names as their NS servers. So I stand by my advice - just blacklist "mta-sts".
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.