[HOWTO] Activate MTA-STS for self-hosted /e/ cloud

Hi !

What is MTA-STS, and it’s benefits ?
-> https://starttls-everywhere.org/faq/#mtasts

This looks great, how do I enable it on my self-hosted ?

  1. read https://github.com/hardware/mailserver#mta-sts (as you may have discovered in your docker-compose.yml file, /e/ cloud mail server is forked from this repo)

  2. create DNS records as advised (see above GitHub link). I will re-use their domain.tld below, but of course you will put your domain name instead :wink: . You can notice we’ll have to serve a file with a fixed-name sub-domain.

  3. create a virtual host to serve mta-sts file : that’s the tricky part ! Steps below

  4. create the mta-sts.txt file somewhere (let’s say /mnt/mta-sts/.well-known/) from GitHub example (change the domain inside)
    Don’t forget to ckeck owner and permissions for /mnt/mta-sts and files/dirs inside
    Then add a volume mapping for nginx : /mnt/mta-sts:/var/www/mta-sts in your /mnt/repo-base/docker-compose.yml file

  5. create a nginx conf file for the mta-sts sub-domain in /mnt/repo-base/config-dynamic/nginx/sites-enabled/, let’s say mta-sts.conf :

server {
listen 4430 ssl http2;
server_name mta-sts.domain.tld;
ssl_certificate /certs/live/mta-sts.domain.tld/fullchain.pem;
ssl_certificate_key /certs/live/mta-sts.domain.tld/privkey.pem;
include /etc/nginx/params/ssl_params;
include /etc/nginx/params/headers_params;
root /var/www/mta-sts;
}

  1. create the Let’s Encrypt certificate : add your mta-sts.domain.tld to /mnt/repo-base/config-dynamic/letsencrypt/autorenew/ssl-domains.dat, then run /mnt/repo-base/scripts/ssl-renew.sh

  2. if everything’s fine, restart nginx : cd /mnt/repo-base then docker-compose stop nginx and docker-compose up -d.
    This will recreate nginx container, as we added a volume mapping in docker-compose.yml.

  3. of course, check nginx logs : docker logs --details --timestamps --since 1h --follow nginx (keep it running)

  4. perform a quick check with a browser with https://mta-sts.domain.tld/.well-known/mta-sts.txt : certificate must be ok (not self-signed, certifying your mta-sts sub-domain), and the file must be displayed

  5. perform a check using Hardenize & EFF (links in GitHub wiki above). Note about Hardenize : if you already performed a check, you will have to register via “invite” link (it’s free, leave a link to /e/ foundation !)

  6. check your displayed nginx log about errors, exit (Ctrl+C), do the same for eelomailserver logs

  7. after some time, you may see entries like this in your nginx log :slightly_smiling_face: :

2020-08-30T09:50:53.498591946Z 74.125.216.45 - - [30/Aug/2020:09:50:53 +0000] “GET /.well-known/mta-sts.txt HTTP/1.1” 200 68 “-” “Google-SMTP-STS” “-”

As we didn’t change anything inside the nginx Docker image, this tuning is likely to survive an /e/ Cloud upgrade :slight_smile: (you may have to check docker-compose.yml after upgrading).

Regain your privacy! Adopt /e/ the unGoogled mobile OS and online servicesphone