It’s been almost a week since I completely removed MIAB server and all DNS settings are updated with new email provider’s (yandex). My domain (kiral.net) successfully sends & receives email from any other providers like yahoo, icloud etc. but I cannot receive email from gmail and gives following bounce error:
“The MX host does not match any MX allowed by the STS policy.”
Were you using MIAB internal nameservers? (the nameservers for your domain were pointing to ns1 and ns2.box.domain.com). If yes, all previous configuration should indeed have totally disappeared. I don’t see how anyone could still access it.
If you were using an external DNS configuration, check you correctly removed everything in your nameservers configuration.
It could be GMAIL which cached your previous MTA-STS (up to the “max_age” period defined) and still enforces it as Daveteu mentions. But in this case, as GMAIL isn’t reading your new config (unless there isn’t any, and that would be your problem), I don’t really see why it would read your “removal” request.
Or maybe there’s a problem with your new Yandex MTA-SLS policy, and it hasn’t anything to do with the previous MIAB.
You can use certbot to get a certificate for that subdomain.
You need to point a DNS A record to the mta-sts subdomain.
You also need a DNS TXT record for _mta-sts with: “v=STSv1; id=123456789;” (id can be anything, the idea is that when the number changes, it signals a change in the mtasts policy)
Within 12 hours, gmail was delivering to my domain, now hosted on protonmail.
The contents of mta-sts.txt (ignore parens):
mode: none (this is the critical part - you’re turning off mta-sts with this)
mx: mail.yourdomain.com (or wherever you’re pointing your mx record(s) to now. Can have multiples of this line)
max_age: 604800 (or however long you like, in seconds)
Another solution is to host your mta-sts on GitHub. I Found a great article to guild you though it if you need the policy while transitioning (e.g. turn it from enforce to testing or change the time down w/o having to host a whole box)
I was getting crazy being bounced between microsoft 365 support and g-suite support, I even created the mta-sts.txt file but I missed the _mta-sts.domain.com TXT record so the first solution was not working.
Now finger crossed waiting to be picked up by Google