Is there a possibility in cloudron to propagate a mta-sts policy?
-
Hello all,
is there a way in cloudron to propagate a mts-sts-policy?
For this a txt-file would have to be accessible under a certain domain, e.g. https://mta-sts.domain.org/.well-known/mta-sts.txtIf there is not something like this in cloudron yet, would this be implementable in principle?
Many thanks and greetings
-
@7dowWilkes Sounds like a great idea to me, if it can possibly be implemented. +1
-
@7dowWilkes said in Is there a possibility in cloudron to propagate a mta-sts policy?:
mts-sts-policy
I'd never heard of this so I did a search and found this about it from the UK Gov't
-
you can find the RFC - Proposed Standard at https://datatracker.ietf.org/doc/rfc8461/
you only need 3 records in your dns:
- _mta-sts.example.com. IN TXT "v=STSv1; id=20160831085700Z;" --> the id is a time-stamp for the policy
- _smtp._tls.example.com. IN TXT "v=TLSRPTv1; rua=mailto:postmaster@example.com" --> for error analysis and for an MTA-STS validator
- mta-sts.example.com. IN A IP-of-your-webserver --> to propagate the policy under https://mta-sts.example.com/.well-known/mta-sts.txt
The policy could look like this:
version: STSv1
mode: enforce
max_age: 2419200
mx: my.example.orginstead of enforce you can also choose "testing" or "none"
see also https://support.google.com/a/answer/9276511?hl=encloudron would therefore "only" need a central webservice via which the policy under ".well-known/mta-sts.txt" could be published to the respective domains in cloudron
the dns entries could also be set automatically by cloudron or once manually by the domain-owner
-
@7dowWilkes the problem for me is actually the webserver, which has to make the policy available. probably this is the actual feature-request, if cloudron doesn't offer this possibility yet
-
@7dowWilkes right, this was request a while ago along with DANE support - https://git.cloudron.io/cloudron/box/-/issues/780 . Can look into this next release.
-
-
That suggestion in turn came from https://forum.cloudron.io/topic/2315/cloudron-email-feature-improvements-ideas
-
-
Recently I played arround, to improve e-mail security with MTA-STS. I was able to simply use surfer app to publish the mta-sts.txt file and set up the necessary DNS entries. But the solution is somewhat clunky, so may be it might be an easy win @girish , to make this directly possible through cloudron ui, until we implement DANE into cloudron.
Steps to reproduce working MTA-STS setup in cloudron useing surfer app
-
setup surfer app at the following subdomain
mta-sts.<DOMAIN.TLD>
-
make folder
.well-known
inside folderpublic
-
create mta-sts.txt
version: STSv1 mode: enforce max_age: 86400 mx: mail.<DOMAIN.TLD>
(where any mail server which it should belong should have an entry. I'am not quite shure wethere we need mx: my.<DOMAIN.TLD> as well, but for the tests the above has been sufficient.)
- set up following DNS records
_mta-sts in TXT v=STSv1; id=20221123132400Z
(where the id is a simple Timestamp or a uniq number to identify the entry)
_smtp._tls in TXT v=TLSRPTv1; rua=mailto:<USERNAME>@<DOMAIN.TLD>
(where the rua-Mail-Adress is an Address one want's to get the reports)
EDIT:
We can easily check if the setup is correct via check tls. -
-
@m-si Sweet! Thanks a lot for sharing this workaround. It works perfectly and helps me to cover the time until true MTA-STS + DANE support from Cloudron. E-Mail reputation is really crucial these days.
Just one remark for other readers: If you are doing this for the first time, you should probably start with mode: testing.
Once you have successfully established MTA-STS (no errors), you should change to "mode: enforce" and increase the max_age value. Many senders expect it to be at least several weeks.