Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR adds the following text to the
ssl.md
documentation:Additional security measures
For additional security, we recommend you take some extra steps.
SMTP MTA Strict Transport Security (MTA-STS)
MTA-STS is an extra step you can take to broadcast the ability of your instance to receive and, optionally enforce, TSL-secure SMTP connections to protect email traffic.
Enabling MTA-STS requires you serve a specific file from subdomain
mta-sts.domain.com
on a well-known route.Create a text file
/var/www/.well-known/mta-sts.txt
with the content:It is recommended to start with
mode: testing
for starters to get time to review failure reports. Add as manymx:
domain entries as you have matching MX records in your DNS configuration.Create a TXT record for
_mta-sts.mydomain.com.
with the following value:With
UNIX_TIMESTAMP
being the current date/time.Use the following command to generate the record:
To verify if the DNS works, the following command
should return a result similar to this one:
Create an additional Nginx configuration in
/etc/nginx/sites-enabled/mta-sts
with the following content:Restart Nginx with the following command:
A correct configuration of MTA-STS, however, requires that the certificate used to host the
mta-sts
subdomain matches that of the subdomain referred to by the MX record from the DNS. In other words, bothmta-sts.mydomain.com
andapp.mydomain.com
must share the same certificate.The easiest way to do this is to expand the certificate associated with
app.mydomain.com
to also support themta-sts
subdomain using the following command:SMTP TLS Reporting
TLSRPT is used by SMTP systems to report failures in establishing TLS-secure sessions as broadcast by the MTA-STS configuration.
Configuring MTA-STS in
mode: testing
as shown in the previous section gives you time to review failures from some SMTP senders.Create a TXT record for
_smtp._tls.mydomain.com.
with the following value:The TLSRPT configuration at the DNS level allows SMTP senders that fail to initiate TLS-secure sessions to send reports to a particular email address. We suggest creating a
tls-reports
alias in SimpleLogin for this purpose.To verify if the DNS works, the following command
should return a result similar to this one: