Is there a possibility in cloudron to propagate a mta-sts policy?
-
@7dowWilkes said in Is there a possibility in cloudron to propagate a mta-sts policy?:
mts-sts-policy
I'd never heard of this so I did a search and found this about it from the UK Gov't
-
you can find the RFC - Proposed Standard at https://datatracker.ietf.org/doc/rfc8461/
you only need 3 records in your dns:
- _mta-sts.example.com. IN TXT "v=STSv1; id=20160831085700Z;" --> the id is a time-stamp for the policy
- _smtp._tls.example.com. IN TXT "v=TLSRPTv1; rua=mailto:postmaster@example.com" --> for error analysis and for an MTA-STS validator
- mta-sts.example.com. IN A IP-of-your-webserver --> to propagate the policy under https://mta-sts.example.com/.well-known/mta-sts.txt
The policy could look like this:
version: STSv1
mode: enforce
max_age: 2419200
mx: my.example.orginstead of enforce you can also choose "testing" or "none"
see also https://support.google.com/a/answer/9276511?hl=encloudron would therefore "only" need a central webservice via which the policy under ".well-known/mta-sts.txt" could be published to the respective domains in cloudron
the dns entries could also be set automatically by cloudron or once manually by the domain-owner
-
you can find the RFC - Proposed Standard at https://datatracker.ietf.org/doc/rfc8461/
you only need 3 records in your dns:
- _mta-sts.example.com. IN TXT "v=STSv1; id=20160831085700Z;" --> the id is a time-stamp for the policy
- _smtp._tls.example.com. IN TXT "v=TLSRPTv1; rua=mailto:postmaster@example.com" --> for error analysis and for an MTA-STS validator
- mta-sts.example.com. IN A IP-of-your-webserver --> to propagate the policy under https://mta-sts.example.com/.well-known/mta-sts.txt
The policy could look like this:
version: STSv1
mode: enforce
max_age: 2419200
mx: my.example.orginstead of enforce you can also choose "testing" or "none"
see also https://support.google.com/a/answer/9276511?hl=encloudron would therefore "only" need a central webservice via which the policy under ".well-known/mta-sts.txt" could be published to the respective domains in cloudron
the dns entries could also be set automatically by cloudron or once manually by the domain-owner
@7dowWilkes the problem for me is actually the webserver, which has to make the policy available. probably this is the actual feature-request, if cloudron doesn't offer this possibility yet
-
@7dowWilkes the problem for me is actually the webserver, which has to make the policy available. probably this is the actual feature-request, if cloudron doesn't offer this possibility yet
@7dowWilkes right, this was request a while ago along with DANE support - https://git.cloudron.io/cloudron/box/-/issues/780 . Can look into this next release.
-
G girish moved this topic from Support on
-
@7dowWilkes right, this was request a while ago along with DANE support - https://git.cloudron.io/cloudron/box/-/issues/780 . Can look into this next release.
@girish perfect! That's cool
-
D d19dotca referenced this topic on
-
Recently I played arround, to improve e-mail security with MTA-STS. I was able to simply use surfer app to publish the mta-sts.txt file and set up the necessary DNS entries. But the solution is somewhat clunky, so may be it might be an easy win @girish , to make this directly possible through cloudron ui, until we implement DANE into cloudron.
Steps to reproduce working MTA-STS setup in cloudron useing surfer app
-
setup surfer app at the following subdomain
mta-sts.<DOMAIN.TLD> -
make folder
.well-knowninside folderpublic -
create mta-sts.txt
version: STSv1 mode: enforce max_age: 86400 mx: mail.<DOMAIN.TLD>(where any mail server which it should belong should have an entry. I'am not quite shure wethere we need mx: my.<DOMAIN.TLD> as well, but for the tests the above has been sufficient.)
- set up following DNS records
_mta-sts in TXT v=STSv1; id=20221123132400Z(where the id is a simple Timestamp or a uniq number to identify the entry)
_smtp._tls in TXT v=TLSRPTv1; rua=mailto:<USERNAME>@<DOMAIN.TLD>(where the rua-Mail-Adress is an Address one want's to get the reports)
EDIT:
We can easily check if the setup is correct via check tls. -
-
Recently I played arround, to improve e-mail security with MTA-STS. I was able to simply use surfer app to publish the mta-sts.txt file and set up the necessary DNS entries. But the solution is somewhat clunky, so may be it might be an easy win @girish , to make this directly possible through cloudron ui, until we implement DANE into cloudron.
Steps to reproduce working MTA-STS setup in cloudron useing surfer app
-
setup surfer app at the following subdomain
mta-sts.<DOMAIN.TLD> -
make folder
.well-knowninside folderpublic -
create mta-sts.txt
version: STSv1 mode: enforce max_age: 86400 mx: mail.<DOMAIN.TLD>(where any mail server which it should belong should have an entry. I'am not quite shure wethere we need mx: my.<DOMAIN.TLD> as well, but for the tests the above has been sufficient.)
- set up following DNS records
_mta-sts in TXT v=STSv1; id=20221123132400Z(where the id is a simple Timestamp or a uniq number to identify the entry)
_smtp._tls in TXT v=TLSRPTv1; rua=mailto:<USERNAME>@<DOMAIN.TLD>(where the rua-Mail-Adress is an Address one want's to get the reports)
EDIT:
We can easily check if the setup is correct via check tls.@m-si Sweet! Thanks a lot for sharing this workaround. It works perfectly and helps me to cover the time until true MTA-STS + DANE support from Cloudron. E-Mail reputation is really crucial these days.
Just one remark for other readers: If you are doing this for the first time, you should probably start with mode: testing.
Once you have successfully established MTA-STS (no errors), you should change to "mode: enforce" and increase the max_age value. Many senders expect it to be at least several weeks. -
-
Recently I played arround, to improve e-mail security with MTA-STS. I was able to simply use surfer app to publish the mta-sts.txt file and set up the necessary DNS entries. But the solution is somewhat clunky, so may be it might be an easy win @girish , to make this directly possible through cloudron ui, until we implement DANE into cloudron.
Steps to reproduce working MTA-STS setup in cloudron useing surfer app
-
setup surfer app at the following subdomain
mta-sts.<DOMAIN.TLD> -
make folder
.well-knowninside folderpublic -
create mta-sts.txt
version: STSv1 mode: enforce max_age: 86400 mx: mail.<DOMAIN.TLD>(where any mail server which it should belong should have an entry. I'am not quite shure wethere we need mx: my.<DOMAIN.TLD> as well, but for the tests the above has been sufficient.)
- set up following DNS records
_mta-sts in TXT v=STSv1; id=20221123132400Z(where the id is a simple Timestamp or a uniq number to identify the entry)
_smtp._tls in TXT v=TLSRPTv1; rua=mailto:<USERNAME>@<DOMAIN.TLD>(where the rua-Mail-Adress is an Address one want's to get the reports)
EDIT:
We can easily check if the setup is correct via check tls.@m-si said in Is there a possibility in cloudron to propagate a mta-sts policy?:
Recently I played arround, to improve e-mail security with MTA-STS. I was able to simply use surfer app to publish the mta-sts.txt file and set up the necessary DNS entries. But the solution is somewhat clunky, so may be it might be an easy win @girish , to make this directly possible through cloudron ui, until we implement DANE into cloudron.
Steps to reproduce working MTA-STS setup in cloudron useing surfer app
-
setup surfer app at the following subdomain
mta-sts.<DOMAIN.TLD> -
make folder
.well-knowninside folderpublic -
create mta-sts.txt
version: STSv1 mode: enforce max_age: 86400 mx: mail.<DOMAIN.TLD>(where any mail server which it should belong should have an entry. I'am not quite shure wethere we need mx: my.<DOMAIN.TLD> as well, but for the tests the above has been sufficient.)
- set up following DNS records
_mta-sts in TXT v=STSv1; id=20221123132400Z(where the id is a simple Timestamp or a uniq number to identify the entry)
_smtp._tls in TXT v=TLSRPTv1; rua=mailto:<USERNAME>@<DOMAIN.TLD>(where the rua-Mail-Adress is an Address one want's to get the reports)
EDIT:
We can easily check if the setup is correct via check tls.Is this tutorial still relevant to be added to the documentation page regarding the MTA-STS, @james?
-
-
I may be misunderstanding this, but if my domain provider supports DNSSEC and I can set the necessary DNS entries for MTA-STS there directly, I would only need to be able to enter the content for the “mta-sts.txt file” under “Well-known URIs” for the respective domain within Cloudron (as described by @m-si under No. 3). Unfortunately, I am only an end user, but would this be a lot of work for the Cloudron developer community?
-
I may be misunderstanding this, but if my domain provider supports DNSSEC and I can set the necessary DNS entries for MTA-STS there directly, I would only need to be able to enter the content for the “mta-sts.txt file” under “Well-known URIs” for the respective domain within Cloudron (as described by @m-si under No. 3). Unfortunately, I am only an end user, but would this be a lot of work for the Cloudron developer community?
@7dowWilkes If I am not mistaken, you can configure it from the DNS level, let's say you're using Cloudflare, so you don't have to create an app to handle MTA-STS for your email. CMIIW.
-
@IniBudi: Thank you for your comment. The DNS entries for MTA-STS are not the problem; I can easily store them with a domain and DNS provider. The critical point is storing the necessary TXT file with the actual rules of conduct, which cannot be provided at the DNS level. To do this, I need a web server under the respective domain, and so, when using Cloudron, I automatically end up in the Cloudron user interface and in the domain settings area. There is already an area for so-called “well-known URIs” where entries for services such as Matrix, Mastodon, and Jitsi can already be stored. In my opinion, to implement this cleanly in cloudron, all that is needed is an input field where the MTA-STS rules can be stored.
-
@7dowWilkes sorry for answering that late. You need to have app that serves the file at the expected URL.
You need to set up surfer app (this is the webserver you are looking for) at mta-sts.YOURDOMAIN.TLD (YOURDOMAIN= is your domain... TLD=Top Level Domain e.g. .com, .org...) inside surfer app you need to create .well-known folder inside folder public and then place the mta-sts file as described earlier there...
I hope this clarifies it for you ...and yes it is still working. @james I think it would be awesome to somehow implement it into cloudron for the ease of use mail setup. As long as it is not implemented maybe a notice in the mail section of cloudron might work.
Hello! It looks like you're interested in this conversation, but you don't have an account yet.
Getting fed up of having to scroll through the same posts each visit? When you register for an account, you'll always come back to exactly where you were before, and choose to be notified of new replies (either via email, or push notification). You'll also be able to save bookmarks and upvote posts to show your appreciation to other community members.
With your input, this post could be even better đź’—
Register Login