Support MTA Strict Transport Security (MTA-STS)

[justinmayer]

MTA-STS is a new IETF standard that enables sending downgrade-resistant email over SMTP by piggybacking on the browser Certificate Authority model. Implementing this standard for Mail-in-a-Box would ostensibly mitigate downgrade-to-plaintext attacks on MiaB servers.

IETF standard: https://datatracker.ietf.org/doc/draft-ietf-uta-mta-sts/
Validator: https://aykevl.nl/apps/mta-sts/

The steps for MTA-STS implementation are summarized on the above validator page.

[JoshData]

👍

[sydneyli]

hey, interested in taking a stab at this, and also giving users the option to enable TLSRPT! will try to get something working this wknd.

[jookk]

I see changelog entry about mta-sts and had some reading :O
Is it true, that mta-sts needs match https certificate hostname? So box.example.eu mailserver needs https certificate with box.example.eu?
In my usage scenario, It wont work, because I have only one public ip and there is another webserver with web apps...
Question is, if with mta-sts enabled will be working mail delivery / sending?
Thanks all :)

[JoshData]

@jookk MTA-STS won't be activated unless HTTPS certificates are present, so you should be fine.