[hannob]

There's a security problem with this and many other such services. Writing this here hoping that this increases knowledge about this:

I would be able to get a TLS certificate for this host. Why? Some TLS certificate providers allow verifying the domain via access to one of the privileged aliases like postmaster. So I could receive the verification token URL by looking at the postmaster inbox.

Every service offering any type of email inbox should block these aliases. They are ‘admin’, ‘administrator’, ‘webmaster’, ‘hostmaster’, ‘postmaster’. This is specified in the so-called Baseline Requirements, which is the standard for the operation of certificate authorities: https://cabforum.org/baseline-requirements-documents/

[voytec]

RFC 2142: Mailbox Names for Common Services, Roles and Functions [1]

    MAILBOX        SERVICE             SPECIFICATIONS
    -----------    ----------------    ---------------------------
    POSTMASTER     SMTP                [RFC821], [RFC822]
    HOSTMASTER     DNS                 [RFC1033-RFC1035]
    USENET         NNTP                [RFC977]
    NEWS           NNTP                Synonym for USENET
    WEBMASTER      HTTP                [RFC 2068]
    WWW            HTTP                Synonym for WEBMASTER
    UUCP           UUCP                [RFC976]
    FTP            FTP                 [RFC959]

[1] https://www.rfc-editor.org/rfc/rfc2142

[sigio]

A CAA dns record will most likely prevent tbat, just set it to your preferred CA tgat doesn't do mail-based validation.

[kevincox]

This doesn't help if your preferred CA does mail-based validation. The attacker can just use the same CA that you do.