MTA-STS for MIAB?

I’m surprised there’s not been more mention of MTA-STS on here, especially when it fits so nicely with the (very welcome!) implementation of TLS 1.2 and 1.3-only change in MIAB 0.44. There’s a nice little guide here for setting up MTA-STS along with TLS-RPT.

I’m looking to do that for MIAB. Unfortunately mta-sts is not one of the default sites set up (it does the bare domain, autoconfig, & autodiscover), so that would need adding, and it would also need to be added to the list of (sub) domains included in the letsencrypt setup. As far as MIAB goes, that’s all that’s needed - the DNS config will already handle it.

Has anyone had a go at doing this?

Hi Synchro I appear to have it running according to online testing tools listed at the end of this post. Hope the following works for you.

From the guide you linked to above, the key steps are:-

    1. Draft and publish the MTA-STS policy from a secured web server
    1. Enable SMTP TLS-RPT via a custom DNS TXT record
    1. Signal MTS-STS support with a custom DNS TXT record.

MIAB has the mechanisms to implement all of the above in a relatively straight forward manner as explained below.

Step 1: Draft and Publish the MTA-STS policy from a secured web server.

As you pointed out, MIAB offers some default sites but not the required mta-sts site. Fortunately it is easy to add and secure with a TLS certifcate using the existing GUI’s and a command line text editor as follows.

1a: Create a new webserver for MTA-STS

  • Log in to the admin page of your MIAB site (https://box.yourdomain.com/admin)

… assumes your domain is called “yourdomain.com” and the
server is set up with installation default name “box.yourdomain.com”).

  • Click on the “Mail” pulldown menu and select “Users” or “Alias”, (I used Alias but believe it will work for both), then fill in the boxes to create a new alias.

Alias = administrator@mta-sts.yourdomain.com
Forwards To = existing-addr@yourdomain.com

Click on “Add Alias” button to create the alias.

MIAB now does the following:

  • creates the new email alias and lists it on the “admin -> Mail-> Aliases” GUI page
  • creates the website directory structure for “mta-sts.yourdomain.com” and lists it on the “admin -> Web” GUI page
  • creates several admin aliases for this new website and lists them on the “admin -> Mail -> Aliases” GUI page.
  • lists the new domain “mta-sts.yourdomain.com” on the “admin -> System -> TLS(SSL) Certificates” GUI page

1b: Add TLS certificate to the new website

To secure the new MTA-STS subdomain with a TLS certificate:-

  • navigate to the admin GUI -> System -> TLS (SSL) Certificates.

  • Click on the “Provision” button to automatically create a Lets Encrypt certificate. (Make sure that any virtual firewalls protecting your MIAB server at your hosting company (linode, DigitalOcean etc), are configured as per the Firewall settings in the MIAB set up guide,… specifically port 80 needs to be open for lets encrypt servers to talk with the MIAB installation).

Assuming the Lets Encrypt TLS certificate is installed OK, you now have the missing website (mta-sts.yourdomain.com) with a correctly configured TLS certificate chain.

1c: Draft and publish the MTA-STS Policy.

  • log in to the MIAB server over SSH

  • navigate to top level directory of new mta-sts website
    cd /home/user-data/www/mta-sts.yourdomain.com

  • make a new hidden directory called “.well-known”
    sudo mkdir ./.well-known

  • Create the policy file in your editor of choice
    sudo nano /home/user-data/www/mta-sts.yourdomain.com/.well-known/mta-sts.txt

add the following text:

version: STSv1
mode: testing
mx: box.yourdomain.com
max_age: 600

Save file : Ctl+X -> Yes -> save as mta-sts.txt

Note the max_age metric is in seconds.

Using a browser, navigate to the URL of your newly minted mta-sts policy document and see if it will download. URL( https://mta-sts.yourdomain.com/.well-known/mta-sts.txt ).

…Hopefully you can read your mta-sts policy file and also confirm that the site has a valid TLS certificate.

Quick FYI:

Completing steps 2 and 3 below will deliver a working mta-sts configuration when tested by online tools listed below. However it is worth drawing attention to the following.

I believe that strictly speaking the mta-sts.txt file served by the nginx web server should be of character type “text/plain” and encoding UTF-8. This can be implemented as a directive in the mta-sts.yourdomain.com section of the config file at /etc/nginx/conf.d/local.conf,

#Declare doc mta-sts.txt as type=text/plan & characterset=UTF-8
location = /.well-known/mta-sts.txt {
	add_header Content-Type text/plain; charset UTF-8;
}

However, the local.conf file is auto created by a python “management” script that will overwrite any manual edits made to the nginx local.conf file over the lifetime of the MIAB installation. It is your choice as to whether you go down the path of customizing the scripts, but there is a clear warning in the local.conf file header that there is no support should things go wrong. Personally it was not something that I wanted to spend time experimenting with and as mentioned above, it doesn’t appear to be a show-stopper to realizing mta-sts implementation. (I suspect browser configurations default to assuming the correct format and charset , but that’s only a guess)

Step 2: Enable SMTP TLS-RPT with a custom DNS TXT record

One the MIAB admin page navigate to the System -> Custom DNS pull down.

Create a new TXT record as follows

Name = _mta_sts . yourdomain.com

Type = TXT (text record)

Value = STSv1; id=202019021809Z

Click the “Set Record” button.

(n.b I think the id number string can be your choice. Most seem to encode the date in there. I chose to mirror some of the formats I saw on other sites and just modified it with todays date.)

Step 3: Signal MTS-STS support with a custom DNS TXT record

Create an email alias to accept TLS reports from other Mail Transfer Agents.

navigate to admin page -> Mail -> Aliases

Alias = tlsrpt@yourdomain.com

Forwards To = existing-addr@yourdomain.com

Click “Add Alias” button.

. . . . . . . . . .

Add another TXT record at admin -> System -> Custom DNS

Name = _smtp._tls . yourdomain.com

Type = TXT (text record)

Value = v=TLSRPTv1; rua=mailto:tlsrpt@yourdomain.com

Click “Set Record” button


Use the online tools to validate your domains MTA-STS configuration

When these tools confirm that your mta-sts configuration is working, gradually increase the max-age over time from mintues to weeks (say 600 secs to 2720400 secs) and switch from “testing” to “enforce” when happy that everything appears to be working OK.

3 Likes

Great post, thank you!

Thanks Synchro.

Typo in Step 2 subdomain box needs correcting.

It is currently published as _mta_sts

It needs correcting to _mta-sts


In step 2, the text record should start with:

v=STSv1; id=202019021809Z

I started experimenting with it.

Good explanation

Experimenting a little more with it and I got the first domain working with MTA-STS validation.

One of the issues this way, is that you have to create a subdomain for every domain.

Hello,

I’ve implemented it (for testing purposes) in the MiaB installer, so it generates an extra website (MTA-STS.domainname), creates a location to /var/lib/mailinabox etc.

What is the procedure if I want to commit my changes to the real distribution?

Do I’ve to clone MiaB, make the changes over there and ask a merge of is there any other procedure?

Regards,

Sander

Skip the answer: I found it in the distro: https://github.com/mail-in-a-box/mailinabox/blob/master/CONTRIBUTING.md

1 Like

This topic was automatically closed after 61 days. New replies are no longer allowed.