This tool verifies whether a give host correctly implements the new in-development MTA-STS standard for downgrade-resistant secure email. It is very new and not very well tested so don't rely on it's result too much.
Online version: https://aykevl.nl/apps/mta-sts/
License: BSD 2-clause license (see LICENSE.txt).
This guide has been written for Debian buster. It will work on stretch with minimal modifications (replace python3-flask-limiter with the pip3 package Flask-Limiter).
Install dependencies:
$ apt-get install uwsgi uwsgi-plugin-python3 python3-flask python3-flask-limiter python3-dnspythonCreate a configuration file for uWSGI
(howto)
at /etc/uwsgi/emperor.ini:
[uwsgi]
emperor = /etc/uwsgi/vassals
uid = www-data
gid = www-data
limit-as = 1024
logto = /tmp/uwsgi.logCreate a configuration for this app at /etc/uwsgi/vassals/mta-sts.ini
(create /etc/uwsgi/vassals first):
[uwsgi]
socket = /tmp/mta-sts.sock
manage-script-name = true
mount = /=check:app
plugins = python3
chmod-socket = 666
pythonpath = /some/path/mta-stsEnable and start uWSGI (check /tmp/uwsgi.log for errors):
$ sytemctl enable emperor.uwsgi.service
$ sytemctl start emperor.uwsgi.serviceMake sure a webserver redirects requests to /tmp/mta-sts.sock. For
example, with nginx:
location = /apps/mta-sts/api {
include uwsgi_params;
uwsgi_pass unix:/tmp/mta-sts.sock;
}Test the app with a browser.