Support MTA Strict Transport Security (MTA-STS)

mail-in-a-box / mailinabox

Mail-in-a-Box helps individuals take back control of their email by defining a one-click, easy-to-deploy SMTP+everything else server: a mail server in a box.

https://mailinabox.email/

Creative Commons Zero v1.0 Universal

13.71k stars 1.43k forks source link

Support MTA Strict Transport Security (MTA-STS) #1388

Open justinmayer opened 6 years ago

justinmayer commented 6 years ago

MTA-STS is a new IETF standard that enables sending downgrade-resistant email over SMTP by piggybacking on the browser Certificate Authority model. Implementing this standard for Mail-in-a-Box would ostensibly mitigate downgrade-to-plaintext attacks on MiaB servers.

IETF standard: https://datatracker.ietf.org/doc/draft-ietf-uta-mta-sts/ Validator: https://aykevl.nl/apps/mta-sts/

The steps for MTA-STS implementation are summarized on the above validator page.

JoshData commented 5 years ago

:+1:

sydneyli commented 5 years ago

hey, interested in taking a stab at this, and also giving users the option to enable TLSRPT! will try to get something working this wknd.

jookk commented 4 years ago

I see changelog entry about mta-sts and had some reading :O Is it true, that mta-sts needs match https certificate hostname? So box.example.eu mailserver needs https certificate with box.example.eu? In my usage scenario, It wont work, because I have only one public ip and there is another webserver with web apps... Question is, if with mta-sts enabled will be working mail delivery / sending? Thanks all :)

JoshData commented 4 years ago

@jookk MTA-STS won't be activated unless HTTPS certificates are present, so you should be fine.