Re: Problem with FEATURE('sts'): bogus "not listed in SANs" rejects

Unfortunately this has not yet been released:
8.18.2/8.18.2 202x/xx/xx
Fix matching of wildcard SANs in the experimental support
for SMTP MTA Strict Transport Security (MTA-STS).
Problem reported by Dilyan Palauzo.

Here's the current version of the ruleset:

dnl check SAN for STS
SSTS_SAN
ifdef(`_STS_SAN', `dnl
R$* $: $&{server_name}
# {server_name} does not have a trailing dot
# R$+. $1
dnl exact match
R$={cert_altnames} $@ ok
# strip one level up to first dot 
R$~. . $+ .$2
dnl wildcard: *. not just .
R.$+ $: *.$1
R $={cert_altnames} $@ ok
dnl always temporary error? make it an option (of the feature)?
R$* $#error $@ 4.7.0 $: 450 $&{server_name} not listed in SANs', `dnl')



--
Note: please read the netiquette before posting. I will almost never
reply to top-postings which include a full copy of the previous
article(s) at the end because it's annoying, shows that the poster
is too lazy to trim his article, and it's wasting the time of all readers.