search

hardware / mailserver

:warning: UNMAINTAINED - Simple and full-featured mail server using Docker
https://store.docker.com/community/images/hardware/mailserver
MIT License
1.29k stars 324 forks source link

MTA-STS #257

Closed hardware closed 6 years ago

hardware commented 6 years ago

TODO: Explain MTA-STS deployment in the readme.

https://www.hardenize.com/blog/mta-sts https://starttls-everywhere.org/ https://datatracker.ietf.org/doc/draft-ietf-uta-mta-sts/ https://datatracker.ietf.org/doc/draft-ietf-uta-smtp-tlsrpt/ https://aykevl.nl/apps/mta-sts/

hardware commented 6 years ago

Does anyone know if it is possible to serve a static file with Traefik without a container ? I know that Traefik is not a web server but I would like to avoid to use a docker container to deploy a single TXT file.

Nginx example :

server {

  listen 80;
  server_name mta-sts.domain.tld;
  return 301 https://$host$request_uri;

}

server {

  listen 443 ssl http2;
  server_name mta-sts.domain.tld;

  ssl_certificate /nginx/ssl/live/domain.tld/fullchain.pem;
  ssl_certificate_key /nginx/ssl/live/domain.tld/privkey.pem;
  ssl_trusted_certificate /nginx/ssl/live/domain.tld/chain.pem;

  include /nginx/conf.d/ssl.conf;
  include /nginx/conf.d/headers.conf;
  include /nginx/conf.d/errors.conf;
  include /nginx/conf.d/ocsp-stapling.conf;

  location ~ /\.well-known/acme-challenge {
    root /nginx/www/acme;
    allow all;
  }

  location ~ /\.well-known {
    root /nginx/www/mta-sts;
    allow all;
  }

}
# /mnt/docker/nginx/www/mta-sts/.well-known/mta-sts.txt

version: STSv1
mode: testing
mx: mail.domain.tld
max_age: 86400

MTA STS URL : https://mta-sts.domain.tld/.well-known/mta-sts.txt

navossoc commented 6 years ago

I don't think traefik can do that, caddy server can...

denji commented 6 years ago 
  location = /.well-known/mta-sts.txt {
    default_type text/plain;
    return 200 "version: STSv1
mode: testing
mx: mail.domain.tld
max_age: 86400";
  }
denji commented 6 years ago

It’s official, MTA-STS (HSTS equivalent for SMTP) has been released as RFC 8461

elielam commented 4 years ago

Hi,

Does anyone have a container for serve this file ?

Thank you.

elielam commented 4 years ago

Hello,

I found how I let this here if someone need.

  # MAILSERVER MTA-STS SERVICE
  # EXTERNAL : 0.0.0.0
  # DOMAINNAME  : mta-sts.domain.tld
  # /PATH/TO/MTA-STS
  mta-sts:
    image: halverneus/static-file-server:latest
    container_name: mta-sts
    restart: unless-stopped
    networks:
      external:
        ipv4_address: 0.0.0.0 #replace with yours
    environment:
      - PUID=0
      - PGID=0
      - TZ=${TIMEZONE}
    volumes:
      - /path/to/mta-sts:/web/.well-known
    labels:
      - traefik.enable=true
      - traefik.backend=MTA-STS
      - traefik.frontend.rule=Host:mta-sts.${DOMAIN},www.mta-sts.${DOMAIN}
      - "traefik.frontend.redirect.regex=^https:\\\\/\\\\/([^\\\\/]+)\\\\/?$$"
      - "traefik.frontend.redirect.replacement=https://$$1/.well-known/mta-sts.txt"
      - traefik.port=8080
      - traefik.docker.network=external
      - traefik.frontend.headers.browserXSSFilter=true
      - traefik.frontend.headers.contentTypeNosniff=true
      - traefik.frontend.headers.customFrameOptionsValue=sameorigin
      - traefik.frontend.headers.referrerPolicy=no-referrer
      - traefik.frontend.headers.contentSecurityPolicy=true