Cloudron makes it easy to run web apps like WordPress, Nextcloud, GitLab on your server. Find out more or install now.


Skip to content
  • Categories
  • Recent
  • Tags
  • Popular
  • Bookmarks
  • Search
Skins
  • Light
  • Cerulean
  • Cosmo
  • Flatly
  • Journal
  • Litera
  • Lumen
  • Lux
  • Materia
  • Minty
  • Morph
  • Pulse
  • Sandstone
  • Simplex
  • Sketchy
  • Spacelab
  • United
  • Yeti
  • Zephyr
  • Dark
  • Cyborg
  • Darkly
  • Quartz
  • Slate
  • Solar
  • Superhero
  • Vapor

  • Default (No Skin)
  • No Skin
Collapse
Brand Logo

Cloudron Forum

Apps | Demo | Docs | Install
  1. Cloudron Forum
  2. Feature Requests
  3. Is there a possibility in cloudron to propagate a mta-sts policy?

Is there a possibility in cloudron to propagate a mta-sts policy?

Scheduled Pinned Locked Moved Feature Requests
emailmta-sts
10 Posts 6 Posters 1.6k Views 7 Watching
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • 7dowWilkes7 Offline
      7dowWilkes7 Offline
      7dowWilkes
      wrote on last edited by girish
      #1

      Hello all,
      is there a way in cloudron to propagate a mts-sts-policy?
      For this a txt-file would have to be accessible under a certain domain, e.g. https://mta-sts.domain.org/.well-known/mta-sts.txt

      If there is not something like this in cloudron yet, would this be implementable in principle?

      Many thanks and greetings

      micmcM 1 Reply Last reply
      3
      • 7dowWilkes7 7dowWilkes

        Hello all,
        is there a way in cloudron to propagate a mts-sts-policy?
        For this a txt-file would have to be accessible under a certain domain, e.g. https://mta-sts.domain.org/.well-known/mta-sts.txt

        If there is not something like this in cloudron yet, would this be implementable in principle?

        Many thanks and greetings

        micmcM Offline
        micmcM Offline
        micmc
        wrote on last edited by micmc
        #2

        @7dowWilkes Sounds like a great idea to me, if it can possibly be implemented. +1

        Ignorance is not an excuse anymore!
        https://AutomateKit.com

        1 Reply Last reply
        1
        • jdaviescoatesJ Offline
          jdaviescoatesJ Offline
          jdaviescoates
          wrote on last edited by
          #3

          @7dowWilkes said in Is there a possibility in cloudron to propagate a mta-sts policy?:

          mts-sts-policy

          I'd never heard of this so I did a search and found this about it from the UK Gov't

          https://www.gov.uk/government/publications/email-security-standards/using-the-mail-transfer-agent-strict-transport-security-mta-sts-protocol-in-your-organisation

          I use Cloudron with Gandi & Hetzner

          1 Reply Last reply
          1
          • 7dowWilkes7 Offline
            7dowWilkes7 Offline
            7dowWilkes
            wrote on last edited by
            #4

            you can find the RFC - Proposed Standard at https://datatracker.ietf.org/doc/rfc8461/

            you only need 3 records in your dns:

            1. _mta-sts.example.com. IN TXT "v=STSv1; id=20160831085700Z;" --> the id is a time-stamp for the policy
            2. _smtp._tls.example.com. IN TXT "v=TLSRPTv1; rua=mailto:postmaster@example.com" --> for error analysis and for an MTA-STS validator
            3. mta-sts.example.com. IN A IP-of-your-webserver --> to propagate the policy under https://mta-sts.example.com/.well-known/mta-sts.txt

            The policy could look like this:
            version: STSv1
            mode: enforce
            max_age: 2419200
            mx: my.example.org

            instead of enforce you can also choose "testing" or "none"
            see also https://support.google.com/a/answer/9276511?hl=en

            cloudron would therefore "only" need a central webservice via which the policy under ".well-known/mta-sts.txt" could be published to the respective domains in cloudron

            the dns entries could also be set automatically by cloudron or once manually by the domain-owner

            7dowWilkes7 1 Reply Last reply
            2
            • 7dowWilkes7 7dowWilkes

              you can find the RFC - Proposed Standard at https://datatracker.ietf.org/doc/rfc8461/

              you only need 3 records in your dns:

              1. _mta-sts.example.com. IN TXT "v=STSv1; id=20160831085700Z;" --> the id is a time-stamp for the policy
              2. _smtp._tls.example.com. IN TXT "v=TLSRPTv1; rua=mailto:postmaster@example.com" --> for error analysis and for an MTA-STS validator
              3. mta-sts.example.com. IN A IP-of-your-webserver --> to propagate the policy under https://mta-sts.example.com/.well-known/mta-sts.txt

              The policy could look like this:
              version: STSv1
              mode: enforce
              max_age: 2419200
              mx: my.example.org

              instead of enforce you can also choose "testing" or "none"
              see also https://support.google.com/a/answer/9276511?hl=en

              cloudron would therefore "only" need a central webservice via which the policy under ".well-known/mta-sts.txt" could be published to the respective domains in cloudron

              the dns entries could also be set automatically by cloudron or once manually by the domain-owner

              7dowWilkes7 Offline
              7dowWilkes7 Offline
              7dowWilkes
              wrote on last edited by
              #5

              @7dowWilkes the problem for me is actually the webserver, which has to make the policy available. probably this is the actual feature-request, if cloudron doesn't offer this possibility yet

              girishG 1 Reply Last reply
              1
              • 7dowWilkes7 7dowWilkes

                @7dowWilkes the problem for me is actually the webserver, which has to make the policy available. probably this is the actual feature-request, if cloudron doesn't offer this possibility yet

                girishG Offline
                girishG Offline
                girish
                Staff
                wrote on last edited by
                #6

                @7dowWilkes right, this was request a while ago along with DANE support - https://git.cloudron.io/cloudron/box/-/issues/780 . Can look into this next release.

                7dowWilkes7 1 Reply Last reply
                3
                • girishG girish moved this topic from Support on
                • girishG girish

                  @7dowWilkes right, this was request a while ago along with DANE support - https://git.cloudron.io/cloudron/box/-/issues/780 . Can look into this next release.

                  7dowWilkes7 Offline
                  7dowWilkes7 Offline
                  7dowWilkes
                  wrote on last edited by
                  #7

                  @girish perfect! That's cool

                  1 Reply Last reply
                  0
                  • girishG Offline
                    girishG Offline
                    girish
                    Staff
                    wrote on last edited by
                    #8

                    That suggestion in turn came from https://forum.cloudron.io/topic/2315/cloudron-email-feature-improvements-ideas

                    1 Reply Last reply
                    2
                    • d19dotcaD d19dotca referenced this topic on
                    • M Offline
                      M Offline
                      m-si
                      wrote on last edited by m-si
                      #9

                      Recently I played arround, to improve e-mail security with MTA-STS. I was able to simply use surfer app to publish the mta-sts.txt file and set up the necessary DNS entries. But the solution is somewhat clunky, so may be it might be an easy win @girish , to make this directly possible through cloudron ui, until we implement DANE into cloudron.

                      Steps to reproduce working MTA-STS setup in cloudron useing surfer app

                      1. setup surfer app at the following subdomain mta-sts.<DOMAIN.TLD>

                      2. make folder .well-known inside folder public

                      3. create mta-sts.txt

                      version: STSv1
                      mode: enforce
                      max_age: 86400
                      mx: mail.<DOMAIN.TLD>
                      

                      (where any mail server which it should belong should have an entry. I'am not quite shure wethere we need mx: my.<DOMAIN.TLD> as well, but for the tests the above has been sufficient.)

                      1. set up following DNS records
                      _mta-sts in TXT v=STSv1; id=20221123132400Z
                      

                      (where the id is a simple Timestamp or a uniq number to identify the entry)

                      _smtp._tls in TXT v=TLSRPTv1; rua=mailto:<USERNAME>@<DOMAIN.TLD> 
                      

                      (where the rua-Mail-Adress is an Address one want's to get the reports)

                      EDIT:
                      We can easily check if the setup is correct via check tls.

                      nichu42N 1 Reply Last reply
                      3
                      • M m-si

                        Recently I played arround, to improve e-mail security with MTA-STS. I was able to simply use surfer app to publish the mta-sts.txt file and set up the necessary DNS entries. But the solution is somewhat clunky, so may be it might be an easy win @girish , to make this directly possible through cloudron ui, until we implement DANE into cloudron.

                        Steps to reproduce working MTA-STS setup in cloudron useing surfer app

                        1. setup surfer app at the following subdomain mta-sts.<DOMAIN.TLD>

                        2. make folder .well-known inside folder public

                        3. create mta-sts.txt

                        version: STSv1
                        mode: enforce
                        max_age: 86400
                        mx: mail.<DOMAIN.TLD>
                        

                        (where any mail server which it should belong should have an entry. I'am not quite shure wethere we need mx: my.<DOMAIN.TLD> as well, but for the tests the above has been sufficient.)

                        1. set up following DNS records
                        _mta-sts in TXT v=STSv1; id=20221123132400Z
                        

                        (where the id is a simple Timestamp or a uniq number to identify the entry)

                        _smtp._tls in TXT v=TLSRPTv1; rua=mailto:<USERNAME>@<DOMAIN.TLD> 
                        

                        (where the rua-Mail-Adress is an Address one want's to get the reports)

                        EDIT:
                        We can easily check if the setup is correct via check tls.

                        nichu42N Offline
                        nichu42N Offline
                        nichu42
                        wrote on last edited by nichu42
                        #10

                        @m-si Sweet! Thanks a lot for sharing this workaround. It works perfectly and helps me to cover the time until true MTA-STS + DANE support from Cloudron. E-Mail reputation is really crucial these days.

                        Just one remark for other readers: If you are doing this for the first time, you should probably start with mode: testing.
                        Once you have successfully established MTA-STS (no errors), you should change to "mode: enforce" and increase the max_age value. Many senders expect it to be at least several weeks.

                        Matrix: @nichu42:blueplanet.social

                        1 Reply Last reply
                        1
                        Reply
                        • Reply as topic
                        Log in to reply
                        • Oldest to Newest
                        • Newest to Oldest
                        • Most Votes


                          • Login

                          • Don't have an account? Register

                          • Login or register to search.
                          • First post
                            Last post
                          0
                          • Categories
                          • Recent
                          • Tags
                          • Popular
                          • Bookmarks
                          • Search