Add MTA-STS verification #1556
Add MTA-STS verification #1556
Conversation
management/dns_update.py
Outdated
| @@ -228,6 +228,10 @@ def has_rec(qname, rtype, prefix=None): | |||
| defaults = [ | |||
| (None, "A", env["PUBLIC_IP"], "Required. May have a different value. Sets the IP address that %s resolves to for web hosting and other services besides mail. The A record must be present but its value does not affect mail delivery." % domain), | |||
| (None, "AAAA", env.get('PUBLIC_IPV6'), "Optional. Sets the IPv6 address that %s resolves to, e.g. for web hosting. (It is not necessary for receiving mail on this domain.)" % domain), | |||
| ("mta-sts", "A", env["PUBLIC_IP"], "Required. For MTA-STS verification."), | |||
There was a problem hiding this comment.
The descriptions here are for the External DNS page of the control panel and are tips for people managing their own DNS. These should actually say Optional at the start since they are not required for mail deliverability, and they should not that the record should only be used if the HTTP part of the MTA-STS specification is implemented too.
There was a problem hiding this comment.
Let me know any further tweaks you would like to the wording here. See 5cb6fcc
I added an additional comment on the _smtp._tls TXT record as this is optional optional, it is not necessary for the MTA-STS to function correctly and does request/cause email reports to be sent to the postmaster@ email account by all mail servers that have connected to the box. These reports might be confusing to some and if you receive email from a large number of servers could result in a large number of additional emails (I have only received these from Google so far as I do not have many contacts).
See: https://www.hardenize.com/blog/smtp-tls-reporting-tls-rpt
setup/mail-postfix.sh
Outdated
| # ### MTA-STS - SMTP Mail Transfer Agent Strict Transport Security - SETUP | ||
| # See: https://github.com/mail-in-a-box/mailinabox/pull/1556 | ||
| # create the MTA-STS policy | ||
| hide_output mkdir -p /var/lib/mailinabox/ |
There was a problem hiding this comment.
There's no need for hide_output here. mkdir -p never has output.
There was a problem hiding this comment.
Let's also clarify in the comment that this part is what announces the local MTA-STS policy to senders and the file is served by nginx on mta-sts subdomains (actually all domains, but that's fine).
There was a problem hiding this comment.
There's no need for hide_output here.
mkdir -pnever has output.
Similarly, is the hide_output in the "hide_output /bin/systemctl start postfix-mta-sts.service" line necessary? It probably is in the "enable" line as this often creates chatter when it is created, I'm not sure what happens if the service would fail to start (starting is silent).
Let me know if you would like any corrections to the additional comment.
setup/mail-postfix.sh
Outdated
| EOF | ||
| chmod a+r /var/lib/mailinabox/mta-sts.txt | ||
|
|
||
| # install the postfix MTA-STS resolver |
There was a problem hiding this comment.
Let's clarify in the comment here that the MTA-STS resolver service is used by Postfix to ensure outgoing mail uses TLS when the recipient announces MTA-STS.
|
I left some more comments. This is fantastic work by the way. |
| # install the postfix MTA-STS resolver. the MTA-STS resolver service is | ||
| # used by Postfix to ensure outgoing mail uses TLS when the recipient | ||
| # announces MTA-STS. | ||
| hide_output /usr/bin/pip3 install postfix-mta-sts-resolver |
There was a problem hiding this comment.
Should this be altered to include an upgrade parameter if postfix-mta-sts-resolver is already installed?
hide_output /usr/bin/pip3 install -U postfix-mta-sts-resolver
|
I'm not sure why the PR was closed. It is pretty cool. I have two more comments:
|
|
I agree we should have strict_testing disabled as it seems that it is the default. I wonder about the "zones:" section. I don't understand why myzone is there (or any value really). I've seen a few variations of names in that space on different websites, so I'm not sure if it is supposed to be a domain name or not. I imagine since the settings are the same as the defaults we can omit that section. Looks like an upcoming version will change the default config location namely Snawoot/postfix-mta-sts-resolver@6dc046c. Keep it in /etc/postfix, move it to /etc/, or even /home/user-data? |
|
Why was this closed? PR and implementation discussion seemed good to me; and this would be yet another valuable thing to pimp the security of MIAB. Would very much like to see this supported by default. |
|
I closed the PR as the discussion had ground to a halt and the questions I asked received no replies for over a week. People are busy and sometimes do not have the time to follow through on their comments which I understand but I needed this implemented on my version of MIAB so I went ahead on my own. MIAB would rather be stable than introduce new features. This isn't a criticism and it is a valid and understandable choice. I chose instead to fork the project and merge it with some of the many other excellent and working PR that have not been approved in the past (to name but a few quotas, tasks and code style improvements). This PR works and I have been using it for several months on my own fork of MIAB without any issues so feel free to add it to your own fork too without any problems. |
» If you're having special needs I'm sincerely recommending you to fork the official 'master' branch and build you needed custom version on top of it ;) |
|
It's a genuine shame the PR was closed, this would have been an invaluable standard to achieve. I'm hoping this contribution will eventually find its way into future versions of MIAB. |
This pull request implements MTA-STS to enhance email transport security and privacy.
It is based upon this article:
https://blog.delouw.ch/2018/12/16/using-mta-sts-to-enhance-email-transport-security-and-privacy/
https://aykevl.nl/apps/mta-sts/
See also:
https://security.googleblog.com/2019/04/gmail-making-email-more-secure-with-mta.html