What is MTA-STS, and it’s benefits ?
This looks great, how do I enable it on my self-hosted ?
read https://github.com/hardware/mailserver#mta-sts (as you may have discovered in your docker-compose.yml file, /e/ cloud mail server is forked from this repo)
create DNS records as advised (see above GitHub link). I will re-use their domain.tld below, but of course you will put your domain name instead . You can notice we’ll have to serve a file with a fixed-name sub-domain.
create a virtual host to serve mta-sts file : that’s the tricky part ! Steps below
mta-sts.txtfile somewhere (let’s say
/mnt/mta-sts/.well-known/) from GitHub example (change the domain inside)
Don’t forget to ckeck owner and permissions for /mnt/mta-sts and files/dirs inside
Then add a volume mapping for nginx :
create a nginx conf file for the mta-sts sub-domain in
/mnt/repo-base/config-dynamic/nginx/sites-enabled/, let’s say
listen 4430 ssl http2;
create the Let’s Encrypt certificate : add your
/mnt/repo-base/config-dynamic/letsencrypt/autorenew/ssl-domains.dat, then run
if everything’s fine, restart nginx :
docker-compose stop nginxand
docker-compose up -d.
This will recreate nginx container, as we added a volume mapping in docker-compose.yml.
of course, check nginx logs :
docker logs --details --timestamps --since 1h --follow nginx(keep it running)
perform a quick check with a browser with https://mta-sts.domain.tld/.well-known/mta-sts.txt : certificate must be ok (not self-signed, certifying your mta-sts sub-domain), and the file must be displayed
perform a check using Hardenize & EFF (links in GitHub wiki above). Note about Hardenize : if you already performed a check, you will have to register via “invite” link (it’s free, leave a link to /e/ foundation !)
check your displayed nginx log about errors, exit (Ctrl+C), do the same for eelomailserver logs
after some time, you may see entries like this in your nginx log :
2020-08-30T09:50:53.498591946Z 18.104.22.168 - - [30/Aug/2020:09:50:53 +0000] “GET /.well-known/mta-sts.txt HTTP/1.1” 200 68 “-” “Google-SMTP-STS” “-”
As we didn’t change anything inside the nginx Docker image, this tuning is likely to survive an /e/ Cloud upgrade (you may have to check docker-compose.yml after upgrading).