Is there a possibility in cloudron to propagate a mta-sts policy?
-
Hello all,
is there a way in cloudron to propagate a mts-sts-policy?
For this a txt-file would have to be accessible under a certain domain, e.g. https://mta-sts.domain.org/.well-known/mta-sts.txtIf there is not something like this in cloudron yet, would this be implementable in principle?
Many thanks and greetings
-
Hello all,
is there a way in cloudron to propagate a mts-sts-policy?
For this a txt-file would have to be accessible under a certain domain, e.g. https://mta-sts.domain.org/.well-known/mta-sts.txtIf there is not something like this in cloudron yet, would this be implementable in principle?
Many thanks and greetings
@7dowWilkes Sounds like a great idea to me, if it can possibly be implemented. +1
-
@7dowWilkes said in Is there a possibility in cloudron to propagate a mta-sts policy?:
mts-sts-policy
I'd never heard of this so I did a search and found this about it from the UK Gov't
-
you can find the RFC - Proposed Standard at https://datatracker.ietf.org/doc/rfc8461/
you only need 3 records in your dns:
- _mta-sts.example.com. IN TXT "v=STSv1; id=20160831085700Z;" --> the id is a time-stamp for the policy
- _smtp._tls.example.com. IN TXT "v=TLSRPTv1; rua=mailto:postmaster@example.com" --> for error analysis and for an MTA-STS validator
- mta-sts.example.com. IN A IP-of-your-webserver --> to propagate the policy under https://mta-sts.example.com/.well-known/mta-sts.txt
The policy could look like this:
version: STSv1
mode: enforce
max_age: 2419200
mx: my.example.orginstead of enforce you can also choose "testing" or "none"
see also https://support.google.com/a/answer/9276511?hl=encloudron would therefore "only" need a central webservice via which the policy under ".well-known/mta-sts.txt" could be published to the respective domains in cloudron
the dns entries could also be set automatically by cloudron or once manually by the domain-owner
-
you can find the RFC - Proposed Standard at https://datatracker.ietf.org/doc/rfc8461/
you only need 3 records in your dns:
- _mta-sts.example.com. IN TXT "v=STSv1; id=20160831085700Z;" --> the id is a time-stamp for the policy
- _smtp._tls.example.com. IN TXT "v=TLSRPTv1; rua=mailto:postmaster@example.com" --> for error analysis and for an MTA-STS validator
- mta-sts.example.com. IN A IP-of-your-webserver --> to propagate the policy under https://mta-sts.example.com/.well-known/mta-sts.txt
The policy could look like this:
version: STSv1
mode: enforce
max_age: 2419200
mx: my.example.orginstead of enforce you can also choose "testing" or "none"
see also https://support.google.com/a/answer/9276511?hl=encloudron would therefore "only" need a central webservice via which the policy under ".well-known/mta-sts.txt" could be published to the respective domains in cloudron
the dns entries could also be set automatically by cloudron or once manually by the domain-owner
@7dowWilkes the problem for me is actually the webserver, which has to make the policy available. probably this is the actual feature-request, if cloudron doesn't offer this possibility yet
-
@7dowWilkes the problem for me is actually the webserver, which has to make the policy available. probably this is the actual feature-request, if cloudron doesn't offer this possibility yet
@7dowWilkes right, this was request a while ago along with DANE support - https://git.cloudron.io/cloudron/box/-/issues/780 . Can look into this next release.
-
G girish moved this topic from Support on
-
@7dowWilkes right, this was request a while ago along with DANE support - https://git.cloudron.io/cloudron/box/-/issues/780 . Can look into this next release.
@girish perfect! That's cool
-
D d19dotca referenced this topic on
-
Recently I played arround, to improve e-mail security with MTA-STS. I was able to simply use surfer app to publish the mta-sts.txt file and set up the necessary DNS entries. But the solution is somewhat clunky, so may be it might be an easy win @girish , to make this directly possible through cloudron ui, until we implement DANE into cloudron.
Steps to reproduce working MTA-STS setup in cloudron useing surfer app
-
setup surfer app at the following subdomain
mta-sts.<DOMAIN.TLD> -
make folder
.well-knowninside folderpublic -
create mta-sts.txt
version: STSv1 mode: enforce max_age: 86400 mx: mail.<DOMAIN.TLD>(where any mail server which it should belong should have an entry. I'am not quite shure wethere we need mx: my.<DOMAIN.TLD> as well, but for the tests the above has been sufficient.)
- set up following DNS records
_mta-sts in TXT v=STSv1; id=20221123132400Z(where the id is a simple Timestamp or a uniq number to identify the entry)
_smtp._tls in TXT v=TLSRPTv1; rua=mailto:<USERNAME>@<DOMAIN.TLD>(where the rua-Mail-Adress is an Address one want's to get the reports)
EDIT:
We can easily check if the setup is correct via check tls. -
-
Recently I played arround, to improve e-mail security with MTA-STS. I was able to simply use surfer app to publish the mta-sts.txt file and set up the necessary DNS entries. But the solution is somewhat clunky, so may be it might be an easy win @girish , to make this directly possible through cloudron ui, until we implement DANE into cloudron.
Steps to reproduce working MTA-STS setup in cloudron useing surfer app
-
setup surfer app at the following subdomain
mta-sts.<DOMAIN.TLD> -
make folder
.well-knowninside folderpublic -
create mta-sts.txt
version: STSv1 mode: enforce max_age: 86400 mx: mail.<DOMAIN.TLD>(where any mail server which it should belong should have an entry. I'am not quite shure wethere we need mx: my.<DOMAIN.TLD> as well, but for the tests the above has been sufficient.)
- set up following DNS records
_mta-sts in TXT v=STSv1; id=20221123132400Z(where the id is a simple Timestamp or a uniq number to identify the entry)
_smtp._tls in TXT v=TLSRPTv1; rua=mailto:<USERNAME>@<DOMAIN.TLD>(where the rua-Mail-Adress is an Address one want's to get the reports)
EDIT:
We can easily check if the setup is correct via check tls.@m-si Sweet! Thanks a lot for sharing this workaround. It works perfectly and helps me to cover the time until true MTA-STS + DANE support from Cloudron. E-Mail reputation is really crucial these days.
Just one remark for other readers: If you are doing this for the first time, you should probably start with mode: testing.
Once you have successfully established MTA-STS (no errors), you should change to "mode: enforce" and increase the max_age value. Many senders expect it to be at least several weeks. -
-
Recently I played arround, to improve e-mail security with MTA-STS. I was able to simply use surfer app to publish the mta-sts.txt file and set up the necessary DNS entries. But the solution is somewhat clunky, so may be it might be an easy win @girish , to make this directly possible through cloudron ui, until we implement DANE into cloudron.
Steps to reproduce working MTA-STS setup in cloudron useing surfer app
-
setup surfer app at the following subdomain
mta-sts.<DOMAIN.TLD> -
make folder
.well-knowninside folderpublic -
create mta-sts.txt
version: STSv1 mode: enforce max_age: 86400 mx: mail.<DOMAIN.TLD>(where any mail server which it should belong should have an entry. I'am not quite shure wethere we need mx: my.<DOMAIN.TLD> as well, but for the tests the above has been sufficient.)
- set up following DNS records
_mta-sts in TXT v=STSv1; id=20221123132400Z(where the id is a simple Timestamp or a uniq number to identify the entry)
_smtp._tls in TXT v=TLSRPTv1; rua=mailto:<USERNAME>@<DOMAIN.TLD>(where the rua-Mail-Adress is an Address one want's to get the reports)
EDIT:
We can easily check if the setup is correct via check tls.@m-si said in Is there a possibility in cloudron to propagate a mta-sts policy?:
Recently I played arround, to improve e-mail security with MTA-STS. I was able to simply use surfer app to publish the mta-sts.txt file and set up the necessary DNS entries. But the solution is somewhat clunky, so may be it might be an easy win @girish , to make this directly possible through cloudron ui, until we implement DANE into cloudron.
Steps to reproduce working MTA-STS setup in cloudron useing surfer app
-
setup surfer app at the following subdomain
mta-sts.<DOMAIN.TLD> -
make folder
.well-knowninside folderpublic -
create mta-sts.txt
version: STSv1 mode: enforce max_age: 86400 mx: mail.<DOMAIN.TLD>(where any mail server which it should belong should have an entry. I'am not quite shure wethere we need mx: my.<DOMAIN.TLD> as well, but for the tests the above has been sufficient.)
- set up following DNS records
_mta-sts in TXT v=STSv1; id=20221123132400Z(where the id is a simple Timestamp or a uniq number to identify the entry)
_smtp._tls in TXT v=TLSRPTv1; rua=mailto:<USERNAME>@<DOMAIN.TLD>(where the rua-Mail-Adress is an Address one want's to get the reports)
EDIT:
We can easily check if the setup is correct via check tls.Is this tutorial still relevant to be added to the documentation page regarding the MTA-STS, @james?
-
-
I may be misunderstanding this, but if my domain provider supports DNSSEC and I can set the necessary DNS entries for MTA-STS there directly, I would only need to be able to enter the content for the “mta-sts.txt file” under “Well-known URIs” for the respective domain within Cloudron (as described by @m-si under No. 3). Unfortunately, I am only an end user, but would this be a lot of work for the Cloudron developer community?
-
I may be misunderstanding this, but if my domain provider supports DNSSEC and I can set the necessary DNS entries for MTA-STS there directly, I would only need to be able to enter the content for the “mta-sts.txt file” under “Well-known URIs” for the respective domain within Cloudron (as described by @m-si under No. 3). Unfortunately, I am only an end user, but would this be a lot of work for the Cloudron developer community?
@7dowWilkes If I am not mistaken, you can configure it from the DNS level, let's say you're using Cloudflare, so you don't have to create an app to handle MTA-STS for your email. CMIIW.
-
@IniBudi: Thank you for your comment. The DNS entries for MTA-STS are not the problem; I can easily store them with a domain and DNS provider. The critical point is storing the necessary TXT file with the actual rules of conduct, which cannot be provided at the DNS level. To do this, I need a web server under the respective domain, and so, when using Cloudron, I automatically end up in the Cloudron user interface and in the domain settings area. There is already an area for so-called “well-known URIs” where entries for services such as Matrix, Mastodon, and Jitsi can already be stored. In my opinion, to implement this cleanly in cloudron, all that is needed is an input field where the MTA-STS rules can be stored.
