From a88a1a96b52ec81671f9ed0293aef3afb709a356 Mon Sep 17 00:00:00 2001 From: "fox.cpp" Date: Thu, 2 Jan 2020 17:28:23 +0300 Subject: [PATCH] docs: Mention MTA-STS in the Setting up tutorial DANE is complex and requires its own (potentially lengthy) tutorial on how to configure it properly. MTA-STS, on the other hand, is designed to be simple to deploy so recommend to configure it in the Setting up tutorial. --- docs/tutorials/setting-up.md | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) diff --git a/docs/tutorials/setting-up.md b/docs/tutorials/setting-up.md index ad7555d..6dd0615 100644 --- a/docs/tutorials/setting-up.md +++ b/docs/tutorials/setting-up.md @@ -9,6 +9,7 @@ For purposes of clarity, these values are used in this tutorial as examples, wherever you see them, you need to replace them with your actual values: - Domain: example.org +- MX domain (hostname): example.org - IPv4 address: 10.2.3.4 - IPv6 address: 2001:beef::1 @@ -120,6 +121,30 @@ record for `default._domainkey.example.org` domain, like that: default._domainkey.example.org TXT "v=DKIM1; k=ed25519; p=nAcUUozPlhc4VPhp7hZl+owES7j7OlEv0laaDEDBAqg=" ``` +## MTA-STS + +By default SMTP is not protected against active attacks. MTA-STS policy tells +compatible senders to always use properly authenticated TLS when talking to +your server, offering a simple-to-deploy way to protect your server against +MitM attacks on port 25. + +Basically, you to create a file with following contents and make it available +at https://mta-sts.example.org/.well-known/mta-sts.txt: +``` +mode: enforce +max_age: 604800 +mx: example.org +``` + +**Note**: example.org in the file is your MX hostname, example.org in URL is +the domain you are receiving messages for. In simple configurations, they are +going to be the same, but this is not the case for more complex setups. +If you have multiple MX servers - add them all once per line, like that: +``` +mx: mx1.example.org +mx: mx2.example.org +``` + ## postmaster and other user accounts A mail server is useless without mailboxes, right? Unlike software like postfix