RFC 8461 proposes a mechanism to declare the ability to receive TLS secure SMTP connections and to specify whether sending SMTP servers should refuse to deliver to MX hosts that do not offer TLS with a trusted server certificate.

The idea is that the sender enforces a valid STARTTLS (at least TLS 1.2, valid certificate matching the domain name of the inbound server) when MTA-STS is properly configured:

1. Create a DNS TXT record: _mta-sts.pmeerw.net
2. Publishing a text file https://mta-sts.pmeerw.net/.well-known/mta-sts.txt listing all MX servers

See uriport's MTA-STS explaination and use e.g. Luxsci's configuration checker.

posted at: 18:00 | path: /configuration | permanent link