Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/jartf/mta-sts

mta-sts configuration
https://github.com/jartf/mta-sts

Last synced: 20 days ago
JSON representation

mta-sts configuration

Awesome Lists containing this project

README 

        


  


  📩 A Template to host an MTA-STS Policy file on GitHub

  





Use this template to host your MTA Strict Transport Security (MTA-STS) [RFC 8461] policy file on GitHub Pages.





  How To Use •

  License •

  Author




MTA-STS is a security standard to secure e-mail delivery. E-mail servers that send inbound e-mail to your domain will be able to detect that your e-mail server supports SMTP-over-TLS via `STARTTLS` (also known as [Opportunistic TLS](https://en.wikipedia.org/wiki/Opportunistic_TLS)) before opening the actual connection.



In case the sending e-mail server is not able to initiate a secure connection, it will end the connection to enforce transport layer encryption. This mitigates [Man-in-the-middle](https://en.wikipedia.org/wiki/Man-in-the-middle_attack) DNS and SMTP [downgrade attacks](https://en.wikipedia.org/wiki/Downgrade_attack) that would allow an attacker to read or manipulate e-mail in transit.



## How To Use



1. Make sure you are [signed in to GitHub](https://github.com/login). Then click on [**Use this template**](https://github.com/jpawlowski/mta-sts.template/generate) to create a copy to your own GitHub profile (see [GitHub Docs](https://docs.github.com/en/repositories/creating-and-managing-repositories/creating-a-repository-from-a-template)). Don't _clone_ the repository.

   You may name your repository whatever you like. For simplicity, you can name it `mta-sts.`.



2. Change the file `.well-known/mta-sts.txt` according to your needs.



3. Create a `CNAME` record for `mta-sts.` in your domain's DNS that points to `.github.io` or `.github.io` and [enable GitHub Pages](https://docs.github.com/articles/using-a-custom-domain-with-github-pages/).



4. Open a browser to `https://mta-sts.` and make sure it does not show any certificate warnings.



5. Create a `TXT` record for `_mta-sts.` in your domain's DNS to enable the MTA-STS policy for your domain.



   You may copy & paste this to your DNS provider:



   ```dns

   #HOST       #TTL    #TYPE    #VALUE

   _mta-sts    3600    TXT      "v=STSv1; id=20220317000000Z"

   ```



   **Note that you will need to change the `id=` here whenever you make changes to your `mta-sts.txt` policy file.**



6. Validate your setup, for example by using the [MTA-STS Lookup by MXToolBox](https://mxtoolbox.com/mta-sts.aspx), or looking into your [Hardenize Public Report](https://www.hardenize.com/).



_Optional (but **highly recommended**):_



7. Create another `TXT` record for `_smtp._tls.` in your domain's DNS to enable reporting (see [RFC 8460](https://datatracker.ietf.org/doc/html/rfc8460)).

   You may copy & paste this to your DNS provider:



   ```dns

   #HOST         #TTL    #TYPE    #VALUE

   _smtp._tls    3600    TXT      "v=TLSRPTv1; rua=mailto:tls-rua@mailcheck."

   ```



   Note that the e-mail recipient mailbox shall be on a different domain _without_ MTA-STS being configured. This could be a subdomain like `mailcheck.`.

   It is also quite painful to manually deal with the reports other e-mail providers will send to you. For that particular reason, you may want to consider sending these e-mails to a 3rd-party tool like [Report URI](https://report-uri.com/), [URIports](https://www.uriports.com/), or from other commercial providers.



   You probably want this to be the same tool you might use for DMARC reports, like [DMARC Analyzer](https://www.dmarcanalyzer.com/) or [Dmarcian](https://dmarcian.com/).



## License



[MIT License](https://github.com/jpawlowski/mta-sts.template/blob/gh-pages/LICENSE)



## Author



[julian.pawlowski.me](https://julian.pawlowski.me/)  · 

GitHub [@jpawlowski](https://github.com/jpawlowski/mta-sts.template)  · 

Mastodon [@[email protected]](https://chaos.social/@Loredo)