MTA-STS bounce error from gmail after removing MIAB

firatkiral · January 6, 2021, 5:33am

Hi,

It’s been almost a week since I completely removed MIAB server and all DNS settings are updated with new email provider’s (yandex). My domain (kiral.net) successfully sends & receives email from any other providers like yahoo, icloud etc. but I cannot receive email from gmail and gives following bounce error:

“The MX host does not match any MX allowed by the STS policy.”

I saw another mta-sts related issue posted here:

Does anyone know what is happening here?

I appreciate any help.

Thanks.

daveteu · January 6, 2021, 5:58am

I believe you probably need to remove the policy with GMAIL, by doing the mta sts steps again, then setting the mode to “none”, then hopefully gmails read it, and update the policy.

From what is happening right now, it seems your previous mta-sts policy is still being enforced.

Example of a policy to remove mta-sts

version: STSv1
mode: none
mx: mail.example.com
mx: *.example.net
mx: backupmx.example.com
max_age: 604800

https://www.uriports.com/blog/mta-sts-explained/

firatkiral · January 7, 2021, 5:52am

Thank you, I’ll give it a try.

MIAB-lover · January 7, 2021, 9:03pm

Were you using MIAB internal nameservers? (the nameservers for your domain were pointing to ns1 and ns2.box.domain.com). If yes, all previous configuration should indeed have totally disappeared. I don’t see how anyone could still access it.

If you were using an external DNS configuration, check you correctly removed everything in your nameservers configuration.

It could be GMAIL which cached your previous MTA-STS (up to the “max_age” period defined) and still enforces it as Daveteu mentions. But in this case, as GMAIL isn’t reading your new config (unless there isn’t any, and that would be your problem), I don’t really see why it would read your “removal” request.

Or maybe there’s a problem with your new Yandex MTA-SLS policy, and it hasn’t anything to do with the previous MIAB.

firatkiral · January 14, 2021, 9:30pm

Thanks for all help.

I reinstalled MIAB and changed to none as daveteu suggested, after a while gmail removed policy and it started working again.

Cheers.

adskee · February 24, 2021, 8:26pm

As a note to anyone else also suffering this, here’s how to solve without reinstalling MIAB:

If you still have web hosting ability, you need to make the following available via https:

https://mta-sts.yourdomain.com/.well-known/mta-sts.txt

You can use certbot to get a certificate for that subdomain.
You need to point a DNS A record to the mta-sts subdomain.
You also need a DNS TXT record for _mta-sts with: “v=STSv1; id=123456789;” (id can be anything, the idea is that when the number changes, it signals a change in the mtasts policy)

Within 12 hours, gmail was delivering to my domain, now hosted on protonmail.

The contents of mta-sts.txt (ignore parens):

version: STSv1
mode: none (this is the critical part - you’re turning off mta-sts with this)
mx: mail.yourdomain.com (or wherever you’re pointing your mx record(s) to now. Can have multiples of this line)
max_age: 604800 (or however long you like, in seconds)

usachris · March 1, 2021, 4:12pm

Another solution is to host your mta-sts on GitHub. I Found a great article to guild you though it if you need the policy while transitioning (e.g. turn it from enforce to testing or change the time down w/o having to host a whole box)