docs: Mention MTA-STS in the Setting up tutorial

DANE is complex and requires its own (potentially lengthy) tutorial on how to configure it properly. MTA-STS, on the other hand, is designed to be simple to deploy so recommend to configure it in the Setting up tutorial.
2025-04-05 14:07:38 +03:00 · 2020-01-02 17:28:23 +03:00 · 2020-01-02 17:28:23 +03:00 · a88a1a96b5
commit a88a1a96b5
parent ed9e2daed7
1 changed files with 25 additions and 0 deletions
--- a/docs/tutorials/setting-up.md
+++ b/docs/tutorials/setting-up.md
@ -9,6 +9,7 @@ For purposes of clarity, these values are used in this tutorial as examples,
 wherever you see them, you need to replace them with your actual values:

 - Domain: example.org
+- MX domain (hostname): example.org
 - IPv4 address: 10.2.3.4
 - IPv6 address: 2001:beef::1

@ -120,6 +121,30 @@ record for `default._domainkey.example.org` domain, like that:
 default._domainkey.example.org    TXT   "v=DKIM1; k=ed25519; p=nAcUUozPlhc4VPhp7hZl+owES7j7OlEv0laaDEDBAqg="
 ```

+## MTA-STS
+
+By default SMTP is not protected against active attacks. MTA-STS policy tells
+compatible senders to always use properly authenticated TLS when talking to
+your server, offering a simple-to-deploy way to protect your server against
+MitM attacks on port 25.
+
+Basically, you to create a file with following contents and make it available
+at https://mta-sts.example.org/.well-known/mta-sts.txt:
+```
+mode: enforce
+max_age: 604800
+mx: example.org
+```
+
+**Note**: example.org in the file is your MX hostname, example.org in URL is
+the domain you are receiving messages for. In simple configurations, they are
+going to be the same, but this is not the case for more complex setups.
+If you have multiple MX servers - add them all once per line, like that:
+```
+mx: mx1.example.org
+mx: mx2.example.org
+```
+
 ## postmaster and other user accounts

 A mail server is useless without mailboxes, right? Unlike software like postfix