Cloudron makes it easy to run web apps like WordPress, Nextcloud, GitLab on your server. Find out more or install now.


    Cloudron Forum

    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular

    Is there a possibility in cloudron to propagate a mta-sts policy?

    Feature Requests
    email mta-sts
    6
    10
    329
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • 7dowWilkes
      7dowWilkes last edited by girish

      Hello all,
      is there a way in cloudron to propagate a mts-sts-policy?
      For this a txt-file would have to be accessible under a certain domain, e.g. https://mta-sts.domain.org/.well-known/mta-sts.txt

      If there is not something like this in cloudron yet, would this be implementable in principle?

      Many thanks and greetings

      micmc 1 Reply Last reply Reply Quote 3
      • micmc
        micmc @7dowWilkes last edited by micmc

        @7dowWilkes Sounds like a great idea to me, if it can possibly be implemented. +1


        https://marketingtechnology.agency
        For cutting edge web technologies

        1 Reply Last reply Reply Quote 1
        • jdaviescoates
          jdaviescoates last edited by

          @7dowWilkes said in Is there a possibility in cloudron to propagate a mta-sts policy?:

          mts-sts-policy

          I'd never heard of this so I did a search and found this about it from the UK Gov't

          https://www.gov.uk/government/publications/email-security-standards/using-the-mail-transfer-agent-strict-transport-security-mta-sts-protocol-in-your-organisation

          I use Cloudron with Gandi & Hetzner

          1 Reply Last reply Reply Quote 1
          • 7dowWilkes
            7dowWilkes last edited by

            you can find the RFC - Proposed Standard at https://datatracker.ietf.org/doc/rfc8461/

            you only need 3 records in your dns:

            1. _mta-sts.example.com. IN TXT "v=STSv1; id=20160831085700Z;" --> the id is a time-stamp for the policy
            2. _smtp._tls.example.com. IN TXT "v=TLSRPTv1; rua=mailto:postmaster@example.com" --> for error analysis and for an MTA-STS validator
            3. mta-sts.example.com. IN A IP-of-your-webserver --> to propagate the policy under https://mta-sts.example.com/.well-known/mta-sts.txt

            The policy could look like this:
            version: STSv1
            mode: enforce
            max_age: 2419200
            mx: my.example.org

            instead of enforce you can also choose "testing" or "none"
            see also https://support.google.com/a/answer/9276511?hl=en

            cloudron would therefore "only" need a central webservice via which the policy under ".well-known/mta-sts.txt" could be published to the respective domains in cloudron

            the dns entries could also be set automatically by cloudron or once manually by the domain-owner

            7dowWilkes 1 Reply Last reply Reply Quote 2
            • 7dowWilkes
              7dowWilkes @7dowWilkes last edited by

              @7dowWilkes the problem for me is actually the webserver, which has to make the policy available. probably this is the actual feature-request, if cloudron doesn't offer this possibility yet

              girish 1 Reply Last reply Reply Quote 1
              • girish
                girish Staff @7dowWilkes last edited by

                @7dowWilkes right, this was request a while ago along with DANE support - https://git.cloudron.io/cloudron/box/-/issues/780 . Can look into this next release.

                7dowWilkes 1 Reply Last reply Reply Quote 3
                • Moved from Support by  girish girish 
                • 7dowWilkes
                  7dowWilkes @girish last edited by

                  @girish perfect! That's cool

                  1 Reply Last reply Reply Quote 0
                  • girish
                    girish Staff last edited by

                    That suggestion in turn came from https://forum.cloudron.io/topic/2315/cloudron-email-feature-improvements-ideas

                    1 Reply Last reply Reply Quote 2
                    • Referenced by  d19dotca d19dotca 
                    • M
                      m-si last edited by m-si

                      Recently I played arround, to improve e-mail security with MTA-STS. I was able to simply use surfer app to publish the mta-sts.txt file and set up the necessary DNS entries. But the solution is somewhat clunky, so may be it might be an easy win @girish , to make this directly possible through cloudron ui, until we implement DANE into cloudron.

                      Steps to reproduce working MTA-STS setup in cloudron useing surfer app

                      1. setup surfer app at the following subdomain mta-sts.<DOMAIN.TLD>

                      2. make folder .well-known inside folder public

                      3. create mta-sts.txt

                      version: STSv1
                      mode: enforce
                      max_age: 86400
                      mx: mail.<DOMAIN.TLD>
                      

                      (where any mail server which it should belong should have an entry. I'am not quite shure wethere we need mx: my.<DOMAIN.TLD> as well, but for the tests the above has been sufficient.)

                      1. set up following DNS records
                      _mta-sts in TXT v=STSv1; id=20221123132400Z
                      

                      (where the id is a simple Timestamp or a uniq number to identify the entry)

                      _smtp._tls in TXT v=TLSRPTv1; rua=mailto:<USERNAME>@<DOMAIN.TLD> 
                      

                      (where the rua-Mail-Adress is an Address one want's to get the reports)

                      EDIT:
                      We can easily check if the setup is correct via check tls.

                      nichu42 1 Reply Last reply Reply Quote 3
                      • nichu42
                        nichu42 @m-si last edited by nichu42

                        @m-si Sweet! Thanks a lot for sharing this workaround. It works perfectly and helps me to cover the time until true MTA-STS + DANE support from Cloudron. E-Mail reputation is really crucial these days.

                        Just one remark for other readers: If you are doing this for the first time, you should probably start with mode: testing.
                        Once you have successfully established MTA-STS (no errors), you should change to "mode: enforce" and increase the max_age value. Many senders expect it to be at least several weeks.

                        admin @ https://blueplanet.social
                        Matrix: @nichu42:blueplanet.social

                        1 Reply Last reply Reply Quote 1
                        • First post
                          Last post
                        Powered by NodeBB