MTA-STS support

Discussion in 'Feature Requests' started by felan, Apr 11, 2019.

  1. felan

    felan Member HowtoForge Supporter

    Google has just started using MTA-STS on their systems. It would be a great to follow suit with them, as this would secure peoples e-mail communication further.

    Are there any plans for this?
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    As far as I can see, there are no changes required in ISPConfig. You just have to use an official SSL cert for your mail system and add a DNS TXT record. Both is already possible.
  3. felan

    felan Member HowtoForge Supporter

    Mhm plus we need postfix-mta-sts-resolver as well. But thanks. If anyone got other input to this, feel free :) It's something that I will work a bit further with.
  4. Jesse Norell

    Jesse Norell Well-Known Member

    There is additionally a policy file served (https://mta-sts.domain.tld/.well-known/mta-sts.txt) which must include 'mx' entries for all mx records, and those are to be included in SAN fields of the smtp certificate. This can all be done manually in the short term, but would make sense to have a nice integrated setup for this in the same manner that DKIM keys are generated and can be both added to DNS and configured in the mail server.

    Likely the time to implement would be while (or after) working on the setup for smtp sni, as ISPConfig will know exactly what names are in the certificates it requests and configures for smtp, so could generate a mta-sts policy with those names as well.
  5. felan

    felan Member HowtoForge Supporter

    Hmm yeah that would be nice if that could be incorporated in to ISPConfig. Especially for servers with lots of domains on them.
  6. florian030

    florian030 ISPConfig Developer ISPConfig Developer

    I don't think, that should be a part of ispconfig. Just create w website for your mts-server. with nginx you can use something like
    location ^~ /.well-known/mta-sts.txt {
       try_files $uri @mta-sts;
    location @mta-sts {
    #  add_header Content-Type "text/plain";
      return 200 "version: STSv1\nmode: enforce\nmx:\nmax_age: 1036800\n";
    Create a TXT-Record for MTS
    v=STSv1; id=20160831085700B
    and use cnames for other domains.
    ahrasis likes this.

Share This Page