Mail Server MTA STS

Inbound Steps to setup MTA-STS for inbound mail

Create two DNS records TXT records, one for advertising mta_sts and one for reporting issues with TLS connectivity Spin up a new website with the domain prefix of mta-sts and a file with your configuration Verify your mail server works with starttls before setting enforce or else you can lose email. Make sure the TLS certificates are valid and not user created. You can use Let's Encrypt to get some for free as needed. DNS Records _mta-sts.midnightbsd.org. TXT "v=STSv1; id=3"

_smtp._tls.midnightbsd.org. TXT "v=TLSRPTv1; rua=mailto:tlsrpt@youremaildomainhere"

The id field should be incremented each time you change the file on the webserver.

Website setup Setup the website mta-sts.yourdomain.com

You're going to want to make sure this is available over TLS.

Create a new file /.well-known/mta-sts.txt

Example content version: STSv1 mode: enforce mx: stargazer.midnightbsd.org mx: discovery.midnightbsd.org max_age: 604800

Mode should be either enforce or testing. The recommended max age should be 2+ weeks. We're using a lower amount here.

Outbound Postfix If you are running postfix, you can install the py-postfix-mta-sts-resolver port. This will validate TLS support for other mail servers by using the MTA-STS records. It also offers the option of caching with Redis or Sqlite3.

You would active it in postfix with the following in main.cf:

smtp_tls_policy_maps = socketmap:inet:127.0.0.1:8461:postfix

Here is an example config file mta-sts-daemon.yml with redis configured.

host: 127.0.0.1 port: 8461 reuse_port: true shutdown_timeout: 20 cache: type: redis options: address: "redis://127.0.0.1/0?timeout=5" minsize: 5 maxsize: 25 default_zone: strict_testing: true timeout: 4 zones: myzone: strict_testing: false timeout: 4 Sendmail At this time, we haven't found a way to validate on sendmail. There are some patches floating around for the debian package on linux for DANE but not for MTA-STS.