Skip to content
/ mta-sts.il.powerprofile.sh Public
generated from jpawlowski/mta-sts.template

📩 Inbound e-mail (MTA) Strict Transport Security (STS) policy, hosted on GitHub Pages.

mta-sts.il.powerprofile.sh

License

MIT license
0 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

PowerProfile/mta-sts.il.powerprofile.sh

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

4 Commits
.well-known
.well-known
 
 
.gitattributes
.gitattributes
 
 
.nojekyll
.nojekyll
 
 
CNAME
CNAME
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
_config.yml
_config.yml
 
 
index.html
index.html
 
 

Repository files navigation


📩 A Template to host an MTA-STS Policy file on GitHub

Use this template to host your MTA Strict Transport Security (MTA-STS) [RFC 8461] policy file on GitHub Pages.

How To Use • License • Author

MTA-STS is a security standard to secure e-mail delivery. E-mail servers that send inbound e-mail to your domain will be able to detect that your e-mail server supports SMTP-over-TLS via STARTTLS (also known as Opportunistic TLS) before opening the actual connection.

In case the sending e-mail server is not able to initiate a secure connection, it will end the connection to enforce transport layer encryption. This mitigates Man-in-the-middle DNS and SMTP downgrade attacks that would allow an attacker to read or manipulate e-mail in transit.

How To Use

  1. Click on Use this template to create a copy to your own GitHub profile. You may name your repository whatever you like. For simplicity, you can name it mta-sts.<your_domain.tld>.

  2. Change the file .well-known/mta-sts.txt according to your needs.

  3. Create a CNAME record for mta-sts.<your_domain.tld> in your domain's DNS that points to <user>.github.io or <organization>.github.io. See GitHub Docs to learn more about custom domains on GitHub Pages.

  4. Open a browser to https://mta-sts.<your_domain.tld> and make sure it does not show any certificate warnings.

  5. Create a TXT record for _mta-sts.<your_domain.tld> in your domain's DNS to enable the MTA-STS policy for your domain. You may copy & paste this to your DNS provider:

    #HOST       #TTL    #TYPE    #VALUE
_mta-sts    3600    TXT      "v=STSv1; id=1634120459"

    Note that you will need to change the id= here whenever you make changes to your mta-sts.txt policy file.

  6. Validate your setup, for example by using the MTA-STS validator created by @aykevl.

Optional (but highly recommended):

  1. Create a TLSRPT record for _smtp._tls.<your_domain.tld> in your domain's DNS to enable reporing

    #HOST         #TTL    #TYPE    #VALUE
_smtp._tls    3600    TXT      "v=TLSRPTv1; rua=mailto:tls-rua@mailcheck.<your_domain.tld>"

    Note that the e-mail recipient mailbox shall be on a different domain without MTA-STS being configured. It is also quite painful to manually deal with the reports other e-mail providers will send to you. For that particular reason, you may want to consider sending these e-mail to a 3rd-party tool like Report URI, URIports, or from other commercial providers.

    You probably want this to be the same tool you might use for DMARC reports, like DMARC Analyzer or Dmarcian.

License

MIT License

Author

julian.pawlowski.me  ·  GitHub @jpawlowski  ·  Twitter @Loredo

About

📩 Inbound e-mail (MTA) Strict Transport Security (STS) policy, hosted on GitHub Pages.

mta-sts.il.powerprofile.sh

Resources

Readme

License

MIT license
Activity
Custom properties

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Languages