diff --git a/management/dns_update.py b/management/dns_update.py index 544a9fe8..92a40509 100755 --- a/management/dns_update.py +++ b/management/dns_update.py @@ -304,9 +304,18 @@ def build_zone(domain, all_domains, additional_records, www_redirect_domains, en if not has_rec(qname, rtype): records.append((qname, rtype, value, explanation)) - # Adds autoconfiguration A records for all domains. - # mta-sts.* - required A record for mta-sts (serving the policy) - + # If this is a domain name that there are email addresses configured for, i.e. "something@" + # this domain name, then the domain name is a MTA-STS (https://tools.ietf.org/html/rfc8461) + # Policy Domain. + # + # A "_mta-sts" TXT record signals the presence of a MTA-STS policy, and an effectively random policy + # ID is used to signal that a new policy may (or may not) be deployed any time the DNS is + # updated. + # + # The policy itself is served at the "mta-sts" (no underscore) subdomain over HTTPS. The + # TLS certificate used by Postfix for STARTTLS must be a valid certificate for the MX + # name (PRIMARY_HOSTNAME), so we do not set an MTA-STS policy if the certificate is not + # valid (e.g. because it is self-signed and a valid certificate has not yet been provisioned). get_prim_cert = get_ssl_certificates(env)[env['PRIMARY_HOSTNAME']] response = check_certificate(env['PRIMARY_HOSTNAME'], get_prim_cert['certificate'],get_prim_cert['private-key']) # we don't want those records on the primary hostname @@ -317,8 +326,10 @@ def build_zone(domain, all_domains, additional_records, www_redirect_domains, en ("mta-sts", "AAAA", env.get('PUBLIC_IPV6'), "Provides MTA-STS support"), ("_mta-sts", "TXT", "v=STSv1; id=%sZ" % datetime.datetime.now().strftime("%Y%m%d%H%M%S"), "Enables MTA-STS support") ] - # Skip if the user has set a custom _smtp._tls record. + # Rules can be custom configured accoring to https://tools.ietf.org/html/rfc8460. + # Skip if the rules below if the user has set a custom _smtp._tls record. if not has_rec("_smtp._tls", "TXT", prefix="v=TLSRPTv1;"): + # if the alias 'tlsrpt@PRIMARY_HOSTNAME' is configured, automaticly, reporting will be enabled to this email address tls_rpt_email = "tlsrpt@%s" % env['PRIMARY_HOSTNAME'] tls_rpt_string = "" for alias in get_mail_aliases(env): diff --git a/security.md b/security.md index 3f6ebc82..e2a9ccc2 100644 --- a/security.md +++ b/security.md @@ -98,11 +98,7 @@ While domain policy records prevent other servers from sending mail with a "From The box restricts the envelope sender address (also called the return path or MAIL FROM address --- this is different from the "From:" header) that users may put into outbound mail. The envelope sender address must be either their own email address (their SMTP login username) or any alias that they are listed as a permitted sender of. (There is currently no restriction on the contents of the "From:" header.) -### MTA-STS - -SMTP MTA Strict Transport Security ([SMTP MTA-STS for short](https://en.wikipedia.org/wiki/Simple_Mail_Transfer_Protocol#SMTP_MTA_Strict_Transport_Security)). - -MTA-STS is a mechanism that instructs an SMTP server that the communication with the other SMTP server MUST be encrypted and that the domain name on the certificate should match the domain in the policy. It uses a combination of DNS and HTTPS to publish a policy that tells the sending party what to do when an encrypted channel can not be negotiated. +Incoming Mail ------------- @@ -114,6 +110,12 @@ As discussed above, there is no way to require on-the-wire encryption of mail. W When DNSSEC is enabled at the box's domain name's registrar, [DANE TLSA](https://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities) records are automatically published in DNS. Senders supporting DANE will enforce encryption on-the-wire between them and the box --- see the section on DANE for outgoing mail above. ([source](management/dns_update.py)) +### MTA-STS + +SMTP MTA Strict Transport Security ([SMTP MTA-STS for short](https://en.wikipedia.org/wiki/Simple_Mail_Transfer_Protocol#SMTP_MTA_Strict_Transport_Security)). + +MTA-STS is a mechanism that instructs an SMTP server that the communication with the other SMTP server MUST be encrypted and that the domain name on the certificate should match the domain in the policy. It uses a combination of DNS and HTTPS to publish a policy that tells the sending party what to do when an encrypted channel can not be negotiated. + ### Filters Incoming mail is run through several filters. Email is bounced if the sender's IP address is listed in the [Spamhaus Zen blacklist](http://www.spamhaus.org/zen/) or if the sender's domain is listed in the [Spamhaus Domain Block List](http://www.spamhaus.org/dbl/). Greylisting (with [postgrey](http://postgrey.schweikert.ch/)) is also used to cut down on spam. ([source](setup/mail-postfix.sh))