GitLab

writing to USER@state.gov gives us this error:

<REDACTED@state.gov>: TLSA lookup error for christopher-ew.state.gov:25

it's actually from multiple endpoints, my home server and riseup also see this, so this is actually an error with state.gov, i would argue... still worth taking a look.

/cc @gaba

battle plan:

• confirm with state.gov folks that emails are failing because they check the eugeni TLS cert state.gov is unwilling to provide more information, but we'll just go with that assertion, as it seems fair that our MX should provide publicly verifiable certificates in the standard CA infrastructure (on top of DNSSEC checks)
• if so, establish a plan to rebuild a MX with "real" TLS certificates, which is now documented in the roadmap
• bypass DNSSEC checks for state.gov so we can send mail there
• bring up their misconfiguration on DNSSEC forums (optional)