[SOLVED] V0.50 MTA-STS policy is missing: STSFetchResult.NONE

Maintenance
21

@ravenstar68 my main.cf config giving me 100% rating

smtpd_tls_dh1024_param_file=/home/user-data/ssl/dh4096.pem
smtpd_tls_protocols = TLSv1.3 TLSv1.2
smtp_tls_protocols = TLSv1.3 TLSv1.2
smtpd_tls_mandatory_protocols = TLSv1.3 TLSv1.2
smtp_tls_mandatory_protocols = TLSv1.3 TLSv1.2
tls_ssl_options=NO_RENEGOTIATION
tls_ssl_options=NO_COMPRESSION

tls_high_cipherlist=ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
smtpd_tls_mandatory_exclude_ciphers=aNULL,DES,3DES,MD5,DES+MD5,RC4

tls_medium_cipherlist=ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA

tls_ssl_options = 0x40000000
smtpd_tls_eecdh_grade = ultra

tls_preempt_cipherlist = yes
smtpd_tls_mandatory_ciphers = high
smtpd_tls_ciphers = medium

smtp_tls_mandatory_ciphers = $smtpd_tls_mandatory_ciphers
smtp_tls_ciphers = $smtpd_tls_ciphers
lmtp_tls_mandatory_ciphers = $smtpd_tls_mandatory_ciphers
lmtp_tls_ciphers = $smtpd_tls_ciphers

Donā€™t foget to generate 4096 DH in /home/user-data/ssl/dh4096.pem

1 Like
22

Are these changes something that could get incorporated? I have made the TLSv1.0 and TLSv1.1 but too new to MIAB to know if these will be breaking changes.

They also appear to be in PMIAB too @davness although I didnā€™t get any errors updating my PMIAB :grinning:

23

Hello:

I figured out most of this, but still have 1 issue left.

Part of the issue is I use DNS Made Easy for all my DNS, and my main domain is on a separate server than the MIAB server. I have been running this way fine for quite a while.

I was able to add the _mta-sts and _smtp._tls txt files fine.

Then using info from this thread:

I added the Alias administrator@mta-sts.mydomain.com (using my domain name).
This worked ok it said.

But then for the TLS Certificate, for that subdomain, there was no ā€˜Provisionā€™ option in the GUI, just an install option?

How to I get Letā€™s Encrypt to add the TLS certificate for the new subdomain on the MIAB server?
Also it did not seem to create the mta-sts.mydomain.com subdomain, the /home/user-data/www/ directory just has a ā€˜defaultā€™ directory and not anything else. Is the file somewhere else? It didnā€™t say to create that directory, it implied that it would be made when I added the alias mail account.

Letā€™s Encrypt did the main MIAB domain certificate fine when I first installed and has worked fine for that.

If anyone can offer some help, it would be appreciated.

Thank you!

1 Like
24

@johnfl68 What is your domain?

25

Since there are still SMTP servers out there that send mail that donā€™t support TLS 1.2, and making this change would prevent people from receiving mail from those servers, I wonā€™t incorporate those changes. In fact, we did this, and then a user reported not being able to receive mail from a sender, so we reverted it.

2 Likes
26

Iā€™d assumed as much with such an obvious omission.

Late to the table, but I think Iā€™d prefer to reject such mails in this day and age :slight_smile:

27

I had the same problem with the missing records after upgrading to 0.5 but found that it resolved itself after a few days waiting. Each day a few DNS record would be added so no manual corrections or rerunning of setup is required. Just some patience.

28

I had a problem with external mail servers not being listed in the mta-sts.txt being served up via https. It looks like the one @ /var/lib/mailinabox/mta-sts.txt is used by default. Can I tweak that in the nginx config for a non-default domain to point it to a file somewhere else, perhaps in user-data or would that be considered an unsupported customization? (=

29

My DNS for MIAB server is an external DNS provider. What do I need to add to these records to get this error in the console fixed?
There are two domains hosted by the box and it has its hostname in one of the domains.
for example it hosts domain1.com and domain2.net and the hostname of the MIAB box is box.domain2.net.

Just not sure which records go in which dns set of entries?

30

Only for the MIAB host (domain1) as MX records for domain2 should point to domain 1

31

It should be clearly listed on the ā€˜External DNSā€™ page in the admin area.

32

Same for me, error has disappeared after DNS propagation.

33

I can confirm that no action is required, just wait for 24 to 48 hours and DNS records will propagate automatically across DNS servers and the errors will disappear. No need to issue Letā€™s Encrypt certificates or anything.

34

@ravenstar68 sorry for the late response and sorry if it appear as if I was being cocky or dumb, Iā€™m full foss supporter and I and ourselves have a huge amount of thanks to give to @JoshData, I want to contribute in every way possible and for the future of this project, once again, sorry, Iā€™m not native in English so that maybe got bad combined with the rushā€¦

1 Like
35

After using the MiaB Control Panel TLS (SSL) Certificates page to request certificates from Letā€™s Encrypt for the new mta-sts subdomains and allowing time for DNS propagation, the only issue reported by external validators is the lack of TLSRPT records. This external MTA-STS Validator explains: ā€œIt is defined in RFC-8460 and allows users to specify a mechanism where TLS failures can be reported automatically by affected sites.ā€¦TLSRPT is not strictly mandatory in conjunction with MTA-STSā€¦.ā€ So, it seems that including TLSRPT records would be nice, but is not required by RFC-8460.

36

This error occurred after an upgrade process on our servers. Find below a step by step we used to fix the problem.

upgrade

  • Login to server via SSH (putty for windows)
  • sudo apt-get update && sudo apt-get upgrade
  • reboot
  • Login to server via SSH (putty for windows)
  • curl -s https://mailinabox.email/setup.sh | sudo bash
    Answer questions

Provision the certificates from Lets Encrypt

  • Select [System] menu (Top Menu)
  • Select TLS (SSL) Certificates
  • Select [Reprovision] button

upgrade again.

  • Login to server via SSH (putty for windows)
  • sudo apt-get update && sudo apt-get upgrade
  • reboot
  • Login to server via SSH (putty for windows)
  • curl -s https://mailinabox.email/setup.sh | sudo bash
    Answer questions
3 Likes
37

I had the same issue after setting up version v60.1. on Ubuntu 20.04 LTS with an external DNS. Solved it by:

  1. Create all the DNS-Entries as listed on your admin page in ā€œSystem > External DNSā€
  2. Go to ā€œSystem > TLS (SSL) Certificatesā€ and click the first big blue button ā€œProvisionā€, which now generates the certificates for the new subdomains (autoconfig, autodiscover, mail, mta-sts.mail, mta-sts).
  3. Go back to ā€œSystem > External DNSā€ which now lists two additional TXT entries for _mta-sts and _mta-sts.mail and enter those on your DNS server.

Alternatively you can just add two valid TXT entries right away (eg ā€œv=STSv1; id=20230111T000000;ā€), to _mta-sts and _mta-sts.mail