Google has just started using MTA-STS on their systems. It would be a great to follow suit with them, as this would secure peoples e-mail communication further. Are there any plans for this?
As far as I can see, there are no changes required in ISPConfig. You just have to use an official SSL cert for your mail system and add a DNS TXT record. Both is already possible.
Mhm plus we need postfix-mta-sts-resolver as well. But thanks. If anyone got other input to this, feel free It's something that I will work a bit further with.
There is additionally a policy file served (https://mta-sts.domain.tld/.well-known/mta-sts.txt) which must include 'mx' entries for all mx records, and those are to be included in SAN fields of the smtp certificate. This can all be done manually in the short term, but would make sense to have a nice integrated setup for this in the same manner that DKIM keys are generated and can be both added to DNS and configured in the mail server. Likely the time to implement would be while (or after) working on the setup for smtp sni, as ISPConfig will know exactly what names are in the certificates it requests and configures for smtp, so could generate a mta-sts policy with those names as well.
Hmm yeah that would be nice if that could be incorporated in to ISPConfig. Especially for servers with lots of domains on them.
I don't think, that should be a part of ispconfig. Just create w website for your mts-server. with nginx you can use something like Code: location ^~ /.well-known/mta-sts.txt { try_files $uri @mta-sts; } location @mta-sts { # add_header Content-Type "text/plain"; return 200 "version: STSv1\nmode: enforce\nmx: mailserver.example.com\nmax_age: 1036800\n"; } Create a TXT-Record for MTS Code: v=STSv1; id=20160831085700B and use cnames for other domains.
Although a workaround can be easily done, integration with ISPconfig in the click of a button would keep ISPconfig at the top for website/server implementation for years to come! Even as simple as some code that creates the website with subdomain automatically and adds nginx directives by default; Generating the id=timestamp RFC requirement and noting to users what to copy/paste into their txt records.
