docker-mailserver/docs/content/config/best-practices/mta-sts.md
Joerg Sonnenberger e3331b0f44
feat: Add MTA-STS support for outbound mail (#3592)
* feat: add support for MTA-STS for outgoing mails

* Hook-up mta-sts-daemon into basic process handling test

* fix: Call python script directly

The python3 shebang will run it, which will now meet the expectations of the process testing via pgrep. fail2ban has the same approach.

---------

Co-authored-by: Brennan Kinney <5098581+polarathene@users.noreply.github.com>
2024-01-13 21:37:20 +13:00

1.5 KiB

title hide
Best practices | MTA-STS
toc

MTA-STS is an optional mechanism for a domain to signal support for STARTTLS.

  • It can be used to prevent man-in-the-middle-attacks from hiding STARTTLS support that would force DMS to send outbound mail through an insecure connection.
  • MTA-STS is an alternative to DANE without the need of DNSSEC.
  • MTA-STS is supported by some of the biggest mail providers like Google Mail and Outlook.

Supporting MTA-STS for outbound mail

Enable this feature via the ENV setting ENABLE_MTA_STS=1.

!!! warning "If you have configured DANE"

Enabling MTA-STS will by default override DANE if both are configured for a domain.

This can be partially addressed by configuring a dane-only policy resolver before the MTA-STS entry in `smtp_tls_policy_maps`. See the [`postfix-mta-sts-resolver` documentation][postfix-mta-sts-resolver::dane] for further details.

Supporting MTA-STS for inbound mail

While this feature in DMS supports ensuring STARTTLS is used when mail is sent to another mail server, you may setup similar for mail servers sending mail to DMS.

This requires configuring your DNS and hosting the MTA-STS policy file via a webserver. A good introduction can be found on dmarcian.com.