MTA-STS fails with policy invalid on invalid PKIX for mta-sts.example.com, but should act as if policy is none

[ichdasich]

Describe the bug
Failing PKIX validation for https://mta-sts.example.com/, the library considers the destination to have completely failed policy validation.

To Reproduce
Steps to reproduce the behavior:

1. Go to https://email-security-scans.org
2. Click on 'start test'
3. Wait for email receipt
4. Reply all to the received email
5. Notice that 'challenge_uniq' cannot be delivered. This challenge uses an invalid TLS certificate (no PKIX path; for unrelated reasons and to be fixed in the future)

Expected behavior
A clear and concise description of what you expected to happen.
According to RFC8461:

   If a valid TXT record is found but no policy can be fetched via HTTPS
   (for any reason), and there is no valid (non-expired) previously
   cached policy, senders MUST continue with delivery as though the
   domain has not implemented MTA-STS.

Suggested Fix

diff --git a/mta-lmdb.pl b/mta-lmdb.pl
index 99b451c..7530d71 100644
--- a/mta-lmdb.pl
+++ b/mta-lmdb.pl
@@ -120,7 +120,7 @@ sub getmta
                        eval { $policy = $domain->policy; } or do {
                                $txn->commit;
 # Found a good MTA-STS DNS entry and no policy is available from the cache or http
-                               return ('fail');
+                               return ('none');
                        };
 # Check for badly formatted Policy
                        eval {

Additional context
This bug and fix has been identified by a colleague using the test system; Leaving it open whether the colleague wants to chime in, but i guess the bug should be reported/fixed. ;-)