MTA-STS
Recently I added MTA-STS support to one of my domains, and it turns out that this was easier than expected.
MTA-STS is used to tell mail senders that your server supports TLS. And then you can define the policy for your server and tell them that they should only use TLS (resp. STARTTLS) when connecting to you and not fall back to unencrypted SMTP.
The way this works is with two components:
- a special
_mta-sts.<your-site.com>
TXT DNS entry indicating that your domain supports MTA-STS and the version number of your MTA-STS policy - a mta-sts.txt file served under a specific well-known URL
https://mta-sts.<your-site.com>/.well-known/mta-sts.txt
containing your MTA-STS policy (which mx hosts it is valid for, should it be run in enforcing or testing mode, max-age etc.)
The idea is that a mail sender checks your MTA-STS policy through protected channels (DNSSEC, HTTPS) and then never sends mails to you in plaintext (similar approach as HSTS for HTTP but this time between mail servers).
To setup the MTA-STS configuration, I followed this Enable MTA-STS in 5 Minutes with NGINX guide from Yoonsik Park.
Then to check my configuration I used this MTA-STS validator (which is an opensource project available on GitHub), the classic checktls.com //email/testTo: tool (MTA-STS checking needs to be explicitly enabled under 'More Options') and the free testing service provided by Hardenize.