diff --git a/management/dns_update.py b/management/dns_update.py index e1f92612..822af4d9 100755 --- a/management/dns_update.py +++ b/management/dns_update.py @@ -318,8 +318,7 @@ def build_zone(domain, all_domains, additional_records, www_redirect_domains, en # valid (e.g. because it is self-signed and a valid certificate has not yet been provisioned). get_prim_cert = get_ssl_certificates(env)[env['PRIMARY_HOSTNAME']] response = check_certificate(env['PRIMARY_HOSTNAME'], get_prim_cert['certificate'],get_prim_cert['private-key']) - # we don't want those records on the primary hostname - # and we only want these records if the certificate is valid + if response[0] == 'OK' and domain in get_mail_domains(env): mta_sts_records = [ ("mta-sts", "A", env["PUBLIC_IP"], "Provides MTA-STS support"), diff --git a/security.md b/security.md index e2a9ccc2..ae77f339 100644 --- a/security.md +++ b/security.md @@ -99,7 +99,6 @@ While domain policy records prevent other servers from sending mail with a "From The box restricts the envelope sender address (also called the return path or MAIL FROM address --- this is different from the "From:" header) that users may put into outbound mail. The envelope sender address must be either their own email address (their SMTP login username) or any alias that they are listed as a permitted sender of. (There is currently no restriction on the contents of the "From:" header.) Incoming Mail - ------------- ### Encryption diff --git a/setup/web.sh b/setup/web.sh index 2630f951..c384c00e 100755 --- a/setup/web.sh +++ b/setup/web.sh @@ -126,6 +126,9 @@ chmod a+r /var/lib/mailinabox/mozilla-autoconfig.xml # nginx configuration at /.well-known/mta-sts.txt # more documentation is available on: # https://www.uriports.com/blog/mta-sts-explained/ +# default mode is "testing", which means: "Messages will be delivered as +# though there was no failure but a report will be sent if TLS-RPT is configured" +# other valid modes are: "enforce" and "none". PUNY_PRIMARY_HOSTNAME=$(echo "$PRIMARY_HOSTNAME" | idn2) cat conf/mta-sts.txt \ | sed "s/MODE/$MTA_STS/" \