adrian
/
emailwiz
réplica de https://github.com/LukeSmithxyz/emailwiz.git
1
0
Fork 0
Código Incidencias 0 Lanzamientos 0 Wiki Actividad
Explorar el Código

Merge 371c18a482 into e48c4b7963

pull/315/merge
kedom hace 1 mes
committed by GitHub
padre
e48c4b7963 371c18a482
commit
9a66661652
No se encontró ninguna clave conocida en la base de datos para esta firma ID de clave GPG: B5690EEEBB952194
Se han modificado 1 ficheros con 41 adiciones y 0 borrados
Dividir vista
Opciones de diferencias
Mostrar estadísticas Descargar archivo de parche Descargar archivo de diferencias
  1. +41
    -0
      README.md

+ 41
- 0
README.md Ver fichero

@@ -117,6 +117,44 @@ email program. For my domain, the server information will be as follows:
- IMAP server: `mail.lukesmith.xyz`
- IMAP port: 993

## MTA-STS and DANE for improved security

### MTA-STS

By its very nature SMTP does not offer built-in security against man-in-the-middle attacks. To mitigate this risk, you can implement the MTA-STS policy, which instructs compatible senders to employ verified TLS encryption when communicating with your server.

To put this into practice, create a file named mta-sts.txt with the specified content and host it at `https://mta-sts.example.org/.well-known/`:

```
version: STSv1
mode: enforce
max_age: 604800
mx: mail.example.org
```

After that you need to add the following DNS records:

```
_mta-sts.example.org. TXT "v=STSv1; id=<id>"
_smtp._tls.example.org. TXT "v=TLSRPTv1;rua=mailto:postmaster@example.org"
```
`<id>` can be an arbitrary number but it's recommended to use the current unix timestamp (`date +%s`)

### DANE

It's also recommended to set up a TLSA (DNSSEC/DANE) record for further security enhancement. Go [here](https://ssl-tools.net/tlsa-generator) to generate a TLSA record. Set the port to 25, Transport Protocol to "tcp", and specify the MX hostname as the Domain Name.

After adding the TLSA DNS record you need to enable opportunistic DANE in postfix by doing the following:
```
postconf -e 'smtpd_use_tls = yes'
postconf -e 'smtp_dns_support_level = dnssec'
postconf -e 'smtp_tls_security_level = dane'

echo "dane unix - - n - - smtp
-o smtp_dns_support_level=dnssec
-o smtp_tls_security_level=dane" >> /etc/postfix/master.cf
```

## Benefited from this?

I am always glad to hear this script is still making life easy for people. If
@@ -134,3 +172,6 @@ Can't send or receive mail? Getting marked as spam? There are tools to double-ch
- [Test your TXT records via mail](https://appmaildev.com/en/dkim)
- [Is your IP blacklisted?](https://mxtoolbox.com/blacklists.aspx)
- [mxtoolbox](https://mxtoolbox.com/SuperTool.aspx)
- [Check overall mail/website](https://internet.nl/)
- [Another great mail checker](https://www.checktls.com/#Website)
- [Check DANE](https://www.huque.com/bin/danecheck)

Escribir Vista previa
Cargando…
Cancelar
Guardar