MTA-STS support

Discussion in 'Feature Requests' started by felan, Apr 11, 2019.

  1. felan

    felan Member HowtoForge Supporter

    Google has just started using MTA-STS on their systems. It would be a great to follow suit with them, as this would secure peoples e-mail communication further.

    Are there any plans for this?
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    As far as I can see, there are no changes required in ISPConfig. You just have to use an official SSL cert for your mail system and add a DNS TXT record. Both is already possible.
    girthh likes this.
  3. felan

    felan Member HowtoForge Supporter

    Mhm plus we need postfix-mta-sts-resolver as well. But thanks. If anyone got other input to this, feel free :) It's something that I will work a bit further with.
    girthh likes this.
  4. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    There is additionally a policy file served (https://mta-sts.domain.tld/.well-known/mta-sts.txt) which must include 'mx' entries for all mx records, and those are to be included in SAN fields of the smtp certificate. This can all be done manually in the short term, but would make sense to have a nice integrated setup for this in the same manner that DKIM keys are generated and can be both added to DNS and configured in the mail server.

    Likely the time to implement would be while (or after) working on the setup for smtp sni, as ISPConfig will know exactly what names are in the certificates it requests and configures for smtp, so could generate a mta-sts policy with those names as well.
    girthh likes this.
  5. felan

    felan Member HowtoForge Supporter

    Hmm yeah that would be nice if that could be incorporated in to ISPConfig. Especially for servers with lots of domains on them.
    girthh likes this.
  6. florian030

    florian030 ISPConfig Developer ISPConfig Developer

    I don't think, that should be a part of ispconfig. Just create w website for your mts-server. with nginx you can use something like
    location ^~ /.well-known/mta-sts.txt {
       try_files $uri @mta-sts;
    location @mta-sts {
    #  add_header Content-Type "text/plain";
      return 200 "version: STSv1\nmode: enforce\nmx:\nmax_age: 1036800\n";
    Create a TXT-Record for MTS
    v=STSv1; id=20160831085700B
    and use cnames for other domains.
    girthh and ahrasis like this.
  7. girthh

    girthh New Member

    Although a workaround can be easily done, integration with ISPconfig in the click of a button would keep ISPconfig at the top for website/server implementation for years to come! Even as simple as some code that creates the website with subdomain automatically and adds nginx directives by default; Generating the id=timestamp RFC requirement and noting to users what to copy/paste into their txt records.
    Last edited: Dec 7, 2019
    felan likes this.

Share This Page