MTA-STS policy is present but has unexpected settings

I’m seeing this error in my system status, but I can’t see what I’ve done wrong:

MTA-STS policy is present but has unexpected settings. [{'mx': ['post.madra.net'], 'version': 'STSv1', 'mode': 'testing', 'max_age': 86400}]

Here is my MTA-STS file:

https://mta-sts.madra.net/.well-known/mta-sts.txt

version: STSv1
mode: testing
mx: post.madra.net
max_age: 86400

Where’s the problem?

Maybe it should be mode: enforce?

Hmmm… I suppose it could be that. But all the tutorials I’ve read on setting up MTA-STS say to set it to testing first, until you’re sure it’s working OK… which is a bit of a Catch22 if MIAB flags the fact you’ve set it to testing as an error, in itself.

MiaB configures everything for MTA-STS automatically.

I’m using external DNS, so lots of manual config of these kind of settings

Those MTA-STS settings are hosted on the server. External DNS should just be configured to support the DNS records, not the text file served by the server.

My MIAB server runs on a subdomain of a domain which is located on a different server. So the DNS records have to all be set on the server where the TLD is located, not on the MIAB server.

The default MTA-STS file is located at /var/lib/mailinabox/mta-sts.txt. This is independent of DNS records.

Your server configuration is highly unusual and falls into the category of unsupported modifications because the use case is outside the scope of what the project is intended to support. This is why I keep changing the category (which plenty of posts and users make use of, myself included).

Hmmm… I think I may be onto something now. I just checked using an external validator and got a slightly different error message:

EDIT: D’oh! --I just realised I checked the subdomain my MIAB was on with that external validator, instead of the actual TLD itself. That seems to check out OK:

So I’m now leaning to the opinion that the MIAB error is spurious and caused by the fact is [I assume!] MIAB expects to be running on its own domain, as opposed to a subdomain [as in my case] of a domain served from elsewhere.

I think your missing the entry for the sub domain.

_mta-sta.subdomain.domain.tld

So in your case external DNS your missing the _mta-sta.post entry.

This is where I get a bit confused.

Should I have one single MTA-STS record setup on the MIAB server itself [ie. on the mta-sts.post.madra.net sub-sub-domain --given my MIAB server runs on a sub-domain itself: post.madra.net]?

Or does each domain for which the MIAB server serves mail need its own MTA-STS records eg: mta-sts.somedomain.com, mta-sts.otherdomain.com, mta-sts.thirddomain.com?

I believe each domain that MiaB services, weather its the naked domain domain.com or the subdomain subdomain.domain.com would need the records.

Look in your admin page, then to system → external dns tab.

You should see an entry there for both post.madra.net and madra.net if your box also hosts another domain (say example.com) then there will be an mta-sta record for that as well. mta-sts.example.com which would be needed to be in DNS.

Hi @stuzbot

You need at least two DNS records for each domain you serve mail from:

  1. Either a CNAME record or an A record for the mta-sts subdomain:

    mta-sts.domain.tld.   IN      CNAME    box.domain.tld.
    

    or:

    mta.sta.domain.tld.   IN      A        <IP-ADDRESS>
    
  2. A text record containing a serial number like this:

    _mta-sts.domain.tld.   IN      TXT     "v=STSv1; id=20220505144500Z;"
    

In order to receive reports you could add a third record with a valid email address like this:

_smtp._tls.domain.tld.  IN	TXT	"v=TLSRPTv1; rua=mailto:mta-sts@domain.tld"

Here is a good article about the topic: MTA-STS explained

I also recommend reading the instructions from Google: About MTA-STS and TLS reporting - Google Workspace Admin Help

1 Like

I got it sussed eventually by reading through the ‘Status Checks Change Notice’ emails from my MIAB [about which more in another post!] and seeing entries for a missing MTS-STS policy for each of my other domains.

So, I’ve now created an mta-sts.domain.com sub-domain for every domain my MIAB is serving email for and all the appropriate DNS records and my MIAB status checks are a lot happier. Though I am still getting that ‘unexpected content’ error for each one. However the other external checkers I’ve tried have given everything the green iight. So I’m asuming @openletter’s theory is right anf that MIAB is just complaining because my mode is set to testing.

Yes. Probably it’s just how MiaB queries the mta-sts.txt. Maybe you can take a look at the code on GitHub if you want to be sure. But I think you should be fine if the DNS records are correct. At least the contents of the file look fine to me. Not much you could do wrong on that four lines anyways :wink:

Well, oddly enough, and without me making any further changes to my setup, this morning’s status email is reporting nothing untoward at all.

Looks like MIAB is one of those nice software packages that comes bundled with magic pixies, who fix things while you sleep.

Brand new to MIAB (literally 48 hours) and I was looking at MTA-STS. I am not using my MIAB to manage DNS, I do that thru the hosting provider as there’s a lot of DNS custom work done.

That being said, how do I address the onboard MTA-STS vs the record I set up in my domain’s DNS before finding this thread?

Thanks in advance.