How can you add MTA-STS with ISPConfig?

Discussion in 'General' started by Milly, Feb 14, 2020.

  1. Milly

    Milly Member

    Hi, I have a small test server from The Perfect Server Debian 10 Apache tutorial.

    I have the following image that shows some problems with the email account, as I don't have much experience I would like to know which ones are necessary to solve.


    For MTA-STS I have seen the following tutorial, but I'm really not sure how to do it from ISPConfig, especially configure SSLCertificate:

    mkdir /var/www/mta-sts
    mkdir /var/www/mta-sts/.well-known
    nano /var/www/mta-sts/.well-known/mta-sts.txt

    version: STSv1
    mode: testing
    mx: mail1.your-domain
    mx: mail2.your-domain
    max_age: 86401
    nano /etc/apache2/sites-available/mta-sts.conf
    <IfModule mod_ssl.c>
    <VirtualHost your-server-ipv4-address:443 [your-server-ipv6-address]:443>
    ServerName mta-sts.your-domain
    DocumentRoot /var/www/mta-sts

    ErrorDocument 403 "403 Forbidden - This site is used to specify the MTA-STS policy for this domain, please see '/.well-known/mta-sts.txt'. If you were not expecting to see this, please use <a href=\"https://your-domain\" rel=\"noopener\">https://your-domain</a> instead."

    RewriteEngine On
    RewriteOptions IgnoreInherit
    RewriteRule !^/.well-known/mta-sts.txt - [L,R=403]

    SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
    SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
    Include /etc/letsencrypt/options-ssl-apache.conf

    a2enmod rewrite ssl
    a2ensite mta-sts
    apachectl configtest
    service apache2 restart
    certbot --apache -d mta-sts.your-domain
    curl https://mta-sts.your-domain/.well-known/mta-sts.txt

    TXT records:
    _mta-sts.your-domain IN TXT "v=STSv1; id=id-value"
    _smtp._tls.your-domain IN TXT "v=TLSRPTv1; rua=reporting-address"

    How to add MTA-STS with ISPConfig, especially the part of the SSLCertificateFile?

    Thank you
    Last edited: Feb 14, 2020
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    Your screenshot does not show any problem except that you might want to add the ca certificate in postfix, but that's not mta-sts related. Mta-sts is an optional and not required email extension. If you don't have much experience with Linux administration then I highly recommend staying with the setup that is provided by the perfect server guide. I've seen too many newbies here that wanted to have the best and shiniest hardened system with all kinds of fancy new technologies that simply ruined their setup so that nothing worked at the end.
    Milly and Th0m like this.
  3. Milly

    Milly Member

    Thanks for taking the time to answer.

    Now I understand that MTA-STS is not necessary and that it is very difficult to avoid falling into the spam folder.

    About CA certificate, the folder /usr/local/share/ca-certificates/ is empty.

    Should I copy a certificate from /usr/local/ispconfig/interface/ssl/ or should I create a new one?

    Thank you
    Last edited: Feb 18, 2020
  4. Steini86

    Steini86 Active Member

    For MTA-STS with ISPconfig:
    1. Create a website (needs working (trusted) SSL, but no need for PHP/CGI/Python/etc..)
    2. For all Domains you are using to send mails (ISPC -> Mail -> Domain), create a web alias from to in ispconfig -> Sites -> Aliasdomain for website
    3. Create the folder
      /var/www/ and place a file "mta-sts.txt" in it with:
      version: STSv1
      mode: testing
      max_age: 86400
      Make sure the MX part matches your DNS MX entry! "Mode" should be "testing" for the beginning, if it works you can switch to "enforce". If you change that later, don't forget to adjust the ID in the DNS entry created in Step 4
    4. Create a DNS entry "" as "txt" record and value: "v=STSv1; id=202002181516001"
      The id is arbitrary, you can choose anything. It is used for caching. If you change the ID means you have updated your policy (for example, switching from testing to enforce). I use the timestamp when I did the last changes
    5. For every mail domain create a "CNAME" from "" to "" (if you do not already have a wildcard entry)
    6. Wait some time to propagate the information and test

    CA stands for "Certificate Authority" and are not your certificates, you cannot create them. You have to install them (most certainly, they are already):
    See if you have the file /etc/ssl/certs/ca-certificates.crt, if not install "ca-certificates" package via apt.
    Then set in Postfix:
    smtp_tls_CAfile = $smtpd_tls_CAfile
    smtpd_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
    Last edited: Feb 19, 2020
    Milly and Jesse Norell like this.
  5. nhybgtvfr

    nhybgtvfr Well-Known Member HowtoForge Supporter

    just to be completely clear, for
    this is an ALIAS dns record and not an email domain alias?
    Milly likes this.
  6. Steini86

    Steini86 Active Member

    Sorry to be unclear, I will edit it to be more specific. This is a web alias. In ispconfig -> Sites -> Aliasdomain for website.

    If an email is being sent to and the corresponding TXT record in DNS exists, the server is opening to get the mx information. Now you can either create that file for each domain, or you make one web and use the alias domain.
    There are other options, for example to place that in the webserver configuration, but this is then webserver dependent (apache/nginx) and in this simple guide I wanted to be as generic and simple as possible.

    If you have many mail domains, it might be easier to use a generic webserver config. For example for apache, a config like
    <VirtualHost *:80>
      ServerAlias mta-sts.*
      # all other stuff
    should work and serve mta-sts subdomin on all hosts. However, have never tried it. But this would be the route to go for a lot of domains or a general solution
    Last edited: Feb 19, 2020
    Milly likes this.
  7. Milly

    Milly Member

    Thank you very much for the help

    That's right, I have the /etc/ssl/certs/ca-certificates.crt

    The lines:
    smtp_tls_CAfile = $smtpd_tls_CAfile
    smtpd_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
    I have added them to the nano /etc/postfix/ file, but the test shows the same. Is the file correct or am I wrong?

    -------------------------------------------------- -------------------------------------------------- ---

    In mta-sts if I access the text of the file is displayed.

    I have done what you indicate, it has more than 24 hours but the error is still shown in the test, I will wait another 24 hours.

    Steini86 likes this.
  8. Steini86

    Steini86 Active Member

    That is the right file. Have you restarted postfix?
    Lookin "postconf -n" what setting is set.
    Milly likes this.
  9. Milly

    Milly Member

    Yes, restart postfix
    With "postconf -n" the lines are shown, they are in the list.

    For reference, the tutorial I have used is The Perfect Server Debian 10 apache, I did not make any particular changes.

    alias_database = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases
    alias_maps = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases
    append_dot_mydomain = no
    biff = no
    body_checks = regexp:/etc/postfix/body_checks
    broken_sasl_auth_clients = yes
    compatibility_level = 2
    content_filter = amavis:[]:10024
    dovecot_destination_recipient_limit = 1
    greylisting = check_policy_service inet:
    header_checks = regexp:/etc/postfix/header_checks
    html_directory = /usr/share/doc/postfix/html
    inet_interfaces = all
    inet_protocols = all
    mailbox_size_limit = 0
    maildrop_destination_concurrency_limit = 1
    maildrop_destination_recipient_limit = 1
    mime_header_checks = regexp:/etc/postfix/mime_header_checks
    mydestination =, localhost, localhost.localdomain
    myhostname =
    mynetworks = [::1]/128
    myorigin = /etc/mailname
    nested_header_checks = regexp:/etc/postfix/nested_header_checks
    owner_request_special = no
    proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $sender_bcc_maps $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_d
    omains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $smtpd_sender_login_maps
    readme_directory = /usr/share/doc/postfix
    receive_override_options = no_address_mappings
    recipient_delimiter = +
    relay_domains = mysql:/etc/postfix/
    relay_recipient_maps = mysql:/etc/postfix/
    relayhost =
    sender_bcc_maps = proxy:mysql:/etc/postfix/
    smtp_tls_CAfile = $smtpd_tls_CAfile
    smtp_tls_exclude_ciphers = RC4, aNULL
    smtp_tls_protocols = !SSLv2,!SSLv3
    smtp_tls_security_level = may
    smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
    smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
    smtpd_client_message_rate_limit = 100
    smtpd_client_restrictions = check_client_access mysql:/etc/postfix/
    smtpd_helo_required = yes
    smtpd_helo_restrictions = permit_sasl_authenticated, permit_mynetworks, check_helo_access regexp:/etc/postfix/helo_access, reject_invalid_hostname, reject_non_fqdn_hostname, reject_invalid_hel
    o_hostname, reject_unknown_helo_hostname, check_helo_access regexp:/etc/postfix/blacklist_helo
    smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_rbl_client, check_recipient_access mysql:/etc/postfix/mysql-virt, check_recipient_access mysql:/etc/postfix/
    smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
    smtpd_restriction_classes = greylisting
    smtpd_sasl_auth_enable = yes
    smtpd_sasl_authenticated_header = yes
    smtpd_sasl_path = private/auth
    smtpd_sasl_type = dovecot
    smtpd_sender_login_maps = proxy:mysql:/etc/postfix/
    smtpd_sender_restrictions = check_sender_access regexp:/etc/postfix/ , permit_mynetworks, permit_sasl_authenticated, check_sender_access mysql:/etc/postfix/mysql-virtual_s, check_sender_access regexp:/etc/postfix/
    smtpd_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
    smtpd_tls_cert_file = /etc/postfix/smtpd.cert
    smtpd_tls_exclude_ciphers = RC4, aNULL
    smtpd_tls_key_file = /etc/postfix/smtpd.key
    smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
    smtpd_tls_protocols = !SSLv2,!SSLv3
    smtpd_tls_security_level = may
    smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
    smtpd_use_tls = yes
    transport_maps = hash:/var/lib/mailman/data/transport-mailman, proxy:mysql:/etc/postfix/
    virtual_alias_domains =
    virtual_alias_maps = hash:/var/lib/mailman/data/virtual-mailman, proxy:mysql:/etc/postfix/, proxy:mysql:/etc/postfix/
    virtual_gid_maps = mysql:/etc/postfix/
    virtual_mailbox_base = /var/vmail
    virtual_mailbox_domains = proxy:mysql:/etc/postfix/
    virtual_mailbox_maps = proxy:mysql:/etc/postfix/
    virtual_transport = dovecot
    virtual_uid_maps = mysql:/etc/postfix/

  10. Steini86

    Steini86 Active Member

    smtpd_tls_cert_file = /etc/postfix/smtpd.cert
    smtpd_tls_key_file = /etc/postfix/smtpd.key
    And these two files link to your letsencrypt certificate? Then the test should work. Have you redone it? Sometimes, they cache the results and show an old test
    Milly likes this.
  11. Milly

    Milly Member

    The certificates are those created with the tutorial:

    I think they are created after installing ISPConfig as the smtpd.key?

    No client certificate CA names sent
    Peer signing digest: SHA256
    Peer signature type: RSA-PSS
    Server Temp Key: X25519, 253 bits
    SSL handshake has read 2373 bytes and written 390 bytes
    Verification error: self signed certificate
    New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
    Server public key is 4096 bit
    Secure Renegotiation IS NOT supported
    Compression: NONE
    Expansion: NONE
    No ALPN negotiated
    Early data was not sent
    Verify return code: 18 (self signed certificate)

  12. Steini86

    Steini86 Active Member

    Yes, then you have a self-signed certificate, which is the source of the error. You should exchange this with a letsencrypt certificate.

    If you have a webdomain which already has a letsencrypt certificate, it can be easily done via:
    cd /etc/postfix/
    mv smtpd.cert smtpd.cert-$(date +"%y%m%d%H%M%S").bak
    mv smtpd.key smtpd.key-$(date +"%y%m%d%H%M%S").bak
    ln -s /etc/letsencrypt/live/ smtpd.cert
    ln -s /etc/letsencrypt/live/ smtpd.key
    service postfix restart
    Verify, that in dovecot you have the same settings for the certificate:
    ssl_cert = </etc/postfix/smtpd.cert
    ssl_key = </etc/postfix/smtpd.key
    Milly likes this.
  13. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    Yes, that should work fine, that's how our autodiscover setup works, a vhost for autoconfig.domain.tld with alias autodiscover.domain.tld, then apache config snippet of:
    ServerAlias autoconfig.*
    ServerAlias autodiscover.*
  14. Milly

    Milly Member

    Thanks to your help CA finally works.

    I had no idea that it was necessary to add the server name as a web to ISPConfig

    MTA-STS is still not working, but I will wait a little longer for propagation.


    Greetings and thanks
    Steini86 likes this.
  15. Steini86

    Steini86 Active Member

    Glad to hear its working!
    It is not necessary, it just makes it easier. The webdomain is used to create and renew the LetsEncrypt certificate via ispc. If you get the certificate with a different method, there is no need for the web. However, I just use that web for my webmail application.
    Milly likes this.

Share This Page