misanthroope
commented
3 months ago same here
Open mmaurer92 opened 6 months ago
misanthroope
commented
3 months ago same here
Kreeblah
commented
1 month ago MTA-STS doesn't really have anything to do with the mail provider itself beyond "does the mail server support a secure connection". Since PurelyMail does, you can use it, but you need to set it up yourself.
To do that, you need a subdomain named mta-sts. So, for example, if you have a domain example.com that you receive mail at, you'd need mta-sts.example.com to exist as an A or CNAME record pointing to a web server that supports HTTPS on port 443. And then, on that domain, you need to host a file at https://mta-sts.example.com/.well-known/mta-sts.txt that looks like this:
version: STSv1
mode: enforce
mx: mailserver.purelymail.com
max_age: 86400mode can be one of none, testing, or enforce. none is useful when you want to turn MTA-STS off, since other mail servers will probably cache the result of the an old policy, and if you want to stop using MTA-STS, you need to have a way to tell them to not use it. testing will fall back to an unencrypted connection if needed but report the issue, and enforce will require an encrypted connection.
After that, you need a TXT record that says you're using MTA-STS, along with a unique identifier that mail servers can use to determine when to pull a new copy of the policy. For example.com, this could be a TXT record at _mta-sts.example.com with contents of v=STSv1;id=1727646785Z. v=STSv1 is mandatory, as there's only one version, and the id parameter is required to exist, but just needs to be an alphanumeric value up to 32 characters. When you update your MTA-STS policy file, you need to update the id to something else, so that mail servers know to fetch a fresh copy of the policy file.
If you want to get reports for e-mails that failed to get a TLS connection, you need one more DNS record. For example.com, this would be _smtp._tls.example.com with contents of v=TLSRPTv1;rua=mailto:someemailaddress@somedomain.com,https://somereportingthing.somedomain.com/apath/someendpoint. v=TLSRPTv1 is mandatory, and rua is required to point to one or more e-mail and/or web addresses to send the report to. Reporters aren't required to send the report to more than one location, though, so that's important to keep in mind. Also, for obvious reasons, it's probably not the best idea to have a reporting e-mail address on the same mail server that's being reported about if MTA-STS is on enforcing mode.
Hello,
I was just wondering if PurelyMail is MTA-STS capable. I've been been doing some digging and trying to find out if it is but been unable to nail down if it is. I saw another issue asking about DANE and DNSSEC but no mention of MTA-STS other than asking how DANE differs from it. I am in the process of finding a new email provider for my small business and migrating away from Zoho but i currently have MTA-STS enabled and just want to make sure that PurelyMail's servers are also capable for a smooth transition.