Closed ScottPeterJohnson closed 2 years ago
Comment by Scott on April 11, 2020: Yes, this seems like an improvement that fixes a longstanding flaw in email security. I'll implement it (and see if I can make the mail servers respect it).
It's unfortunate that it'd require users to set up at least 2 more DNS records, though. It'd be great if there was some way to do that automatically for users short of becoming their nameserver.
Comment by balaji on October 19, 2020: Just curious if there has been any progress on this...
Comment by Scott on October 20, 2020: Not yet! (Things fall into my tasklist and it can take me a while to get to them.) I can look into setting it up for Purelymail-owned domains tomorrow though.
I do have some ideas for how to get it to work with user domains, but that might have to wait a bit longer.
Comment by Scott on February 6, 2021: This has been in testing mode for the last three months; given that no insecure connections were reported in that time, I felt confident upgrading it to enforce mode today.
(This issue was imported from Gitea) zack.c on April 11, 2020: Would you consider enabling MTA-STS on Purelymail-owned domains? This would enforce TLS delivery of incoming emails as well as prevent emails to PM to be delivered to another MX if DNS poisoning would occur.
Here's a primer on MTA-STS, if you're not familiar: https://emailsecuritygeek.com/configuring-mta-sts-and-smtp-tls-rpt