Steps to setup MTA-STS for inbound mail
- Create two DNS records TXT records, one for advertising mta_sts and one for reporting issues with TLS connectivity
- Spin up a new website with the domain prefix of mta-sts and a file with your configuration
- Verify your mail server works with starttls before setting enforce or else you can lose email.
- Make sure the TLS certificates are valid and not user created. You can use Let's Encrypt to get some for free as needed.
_mta-sts.midnightbsd.org. TXT "v=STSv1; id=3"
The id field should be incremented each time you change the file on the webserver.
Setup the website mta-sts.yourdomain.com
You're going to want to make sure this is available over TLS.
Create a new file
Mode should be either enforce or testing. The recommended max age should be 2+ weeks. We're using a lower amount here.
If you are running postfix, you can install the py-postfix-mta-sts-resolver port. This will validate TLS support for other mail servers by using the MTA-STS records. It also offers the option of caching with Redis or Sqlite3.
You would active it in postfix with the following in main.cf:
smtp_tls_policy_maps = socketmap:inet:127.0.0.1:8461:postfix
Here is an example config file mta-sts-daemon.yml with redis configured.
At this time, we haven't found a way to validate on sendmail. There are some patches floating around for the debian package on linux for DANE but not for MTA-STS.