Hi Synchro I appear to have it running according to online testing tools listed at the end of this post. Hope the following works for you.
From the guide you linked to above, the key steps are:-
-
- Draft and publish the MTA-STS policy from a secured web server
-
- Enable SMTP TLS-RPT via a custom DNS TXT record
-
- Signal MTS-STS support with a custom DNS TXT record.
MIAB has the mechanisms to implement all of the above in a relatively straight forward manner as explained below.
Step 1: Draft and Publish the MTA-STS policy from a secured web server.
As you pointed out, MIAB offers some default sites but not the required mta-sts site. Fortunately it is easy to add and secure with a TLS certifcate using the existing GUI’s and a command line text editor as follows.
1a: Create a new webserver for MTA-STS
- Log in to the admin page of your MIAB site (
https://box.yourdomain.com/admin)
… assumes your domain is called “yourdomain.com” and the
server is set up with installation default name “box.yourdomain.com”).
- Click on the “Mail” pulldown menu and select “Users” or “Alias”, (I used Alias but believe it will work for both), then fill in the boxes to create a new alias.
Alias = administrator@mta-sts.yourdomain.com
Forwards To = existing-addr@yourdomain.com
Click on “Add Alias” button to create the alias.
MIAB now does the following:
- creates the new email alias and lists it on the “admin -> Mail-> Aliases” GUI page
- creates the website directory structure for “
mta-sts.yourdomain.com” and lists it on the “admin -> Web” GUI page
- creates several admin aliases for this new website and lists them on the “admin -> Mail -> Aliases” GUI page.
- lists the new domain “
mta-sts.yourdomain.com” on the “admin -> System -> TLS(SSL) Certificates” GUI page
1b: Add TLS certificate to the new website
To secure the new MTA-STS subdomain with a TLS certificate:-
-
navigate to the admin GUI -> System -> TLS (SSL) Certificates.
-
Click on the “Provision” button to automatically create a Lets Encrypt certificate. (Make sure that any virtual firewalls protecting your MIAB server at your hosting company (linode, DigitalOcean etc), are configured as per the Firewall settings in the MIAB set up guide,… specifically port 80 needs to be open for lets encrypt servers to talk with the MIAB installation).
Assuming the Lets Encrypt TLS certificate is installed OK, you now have the missing website (mta-sts.yourdomain.com) with a correctly configured TLS certificate chain.
1c: Draft and publish the MTA-STS Policy.
-
log in to the MIAB server over SSH
-
navigate to top level directory of new mta-sts website
cd /home/user-data/www/mta-sts.yourdomain.com
-
make a new hidden directory called “.well-known”
sudo mkdir ./.well-known
-
Create the policy file in your editor of choice
sudo nano /home/user-data/www/mta-sts.yourdomain.com/.well-known/mta-sts.txt
add the following text:
version: STSv1
mode: testing
mx: box.yourdomain.com
max_age: 600
Save file : Ctl+X -> Yes -> save as mta-sts.txt
Note the max_age metric is in seconds.
Using a browser, navigate to the URL of your newly minted mta-sts policy document and see if it will download. URL( https://mta-sts.yourdomain.com/.well-known/mta-sts.txt ).
…Hopefully you can read your mta-sts policy file and also confirm that the site has a valid TLS certificate.
Quick FYI:
Completing steps 2 and 3 below will deliver a working mta-sts configuration when tested by online tools listed below. However it is worth drawing attention to the following.
I believe that strictly speaking the mta-sts.txt file served by the nginx web server should be of character type “text/plain” and encoding UTF-8. This can be implemented as a directive in the mta-sts.yourdomain.com section of the config file at /etc/nginx/conf.d/local.conf,
#Declare doc mta-sts.txt as type=text/plan & characterset=UTF-8
location = /.well-known/mta-sts.txt {
add_header Content-Type text/plain; charset UTF-8;
}
However, the local.conf file is auto created by a python “management” script that will overwrite any manual edits made to the nginx local.conf file over the lifetime of the MIAB installation. It is your choice as to whether you go down the path of customizing the scripts, but there is a clear warning in the local.conf file header that there is no support should things go wrong. Personally it was not something that I wanted to spend time experimenting with and as mentioned above, it doesn’t appear to be a show-stopper to realizing mta-sts implementation. (I suspect browser configurations default to assuming the correct format and charset , but that’s only a guess)
Step 2: Enable SMTP TLS-RPT with a custom DNS TXT record
One the MIAB admin page navigate to the System -> Custom DNS pull down.
Create a new TXT record as follows
Name = _mta_sts . yourdomain.com
Type = TXT (text record)
Value = STSv1; id=202019021809Z
Click the “Set Record” button.
(n.b I think the id number string can be your choice. Most seem to encode the date in there. I chose to mirror some of the formats I saw on other sites and just modified it with todays date.)
Step 3: Signal MTS-STS support with a custom DNS TXT record
Create an email alias to accept TLS reports from other Mail Transfer Agents.
navigate to admin page -> Mail -> Aliases
Alias = tlsrpt@yourdomain.com
Forwards To = existing-addr@yourdomain.com
Click “Add Alias” button.
. . . . . . . . . .
Add another TXT record at admin -> System -> Custom DNS
Name = _smtp._tls . yourdomain.com
Type = TXT (text record)
Value = v=TLSRPTv1; rua=mailto:tlsrpt@yourdomain.com
Click “Set Record” button
Use the online tools to validate your domains MTA-STS configuration
When these tools confirm that your mta-sts configuration is working, gradually increase the max-age over time from mintues to weeks (say 600 secs to 2720400 secs) and switch from “testing” to “enforce” when happy that everything appears to be working OK.