SMTP MTA Strict Transport Security (MTA-STS) is a mechanism enabling mail service providers (SPs) to declare their ability to receive Transport Layer Security (TLS) secure SMTP connections.
SMTP MTA Strict Transport Security (MTA-STS) can also specify whether sending SMTP servers should refuse to deliver to MX hosts that do not offer TLS with a trusted server certificate.
There are several requirements for utilizing MTA-STS in MDaemon:
- SSL, STARTTLS, and STLS must be enabled.
- A valid certificate from a trusted root authority must be in place for participating domains.
- TLS 1.2 or 1.3 support on the Windows server.
To set up MTA-STS for your own domain, you will need an MTA-STS policy file that can be downloaded via HTTPS from the URL https://mta-sts.company.test/.well-known/mta-sts.txt, where "company.test" is your domain name.
In your domain's DNS manger, create an A record for your domain using mta-sts for the name and static IP address of the MDaemon server for the content.
Create a new TXT record in your DNS manager. Use _mta-sts as the record name. Enter v=STSv1; id=20220408T010101; for the record's content. The value for id must be changed every time the policy file is changed. It is common to use a timestamp for the id.
Using a text editor, create your policy file. The policy text file should contain lines in the following format:
version: STSv1
mode: testing
mx: mail.company.test
max_age: 86400
- Mode can be none, testing, or enforce.
- none - The sending server should the policy domain as through it does not have an active policy.
- testing - Messages may still be delivered as though there were no MTA-STS validation failure.
- enforce - Sending servers must not deliver the message to hosts that fail MX matching or certificate validation or do not support STARTTLS
- There should be an "mx:" line for each of your MX hostnames.
- A wildcard can be used for subdomains, such as *.company.test.
- Max age is in seconds. Common values are 86400 (1 day) and 604800 (1 week).
- Place the policy text file in the \MDaemon\WorldClient\HTML\.well-known\ directory on the server where MDaemon is installed.
Verify the mta-sts.txt policy file is available by opening a browser and navigate to https://mta-sts.company.test/.well-known/mta-sts.txt. If the policy is displayed, the configuration is complete.