Maddy: Difference between revisions

Line 124:

Replace the IP <code>1.2.3.4</code> with the IP of your mail server.

=== MTA-STS ~~& DANE~~ ===

=== MTA-STS ===

MTA-STS enforces secure TLS configuration for servers which support this standard. We already advertised this feature in the DNS records above, but we also have to serve a static configuration file using a web server. We use the web server [[Caddy]] to do this but of course you can [[Category:Web_Servers use others too]].

Line 150:

Replace the domain <code>mta-sts.example.org</code> and the domain <code>mx1.example.org</code> with the ones you're using.

=== TLSA (DANE) ===

Using a TLSA (DANE) record is recommended to bind TLS-certificates to a server. Your nameserver needs DNSSEC support for it. You can generate the key using following command

Line 181:

Line 183:

_25._tcp.mx1.example.org. 10800 IN RRSIG TLSA 13 5 10800 20230601000000 20230511000000 39688 example.org. He9VYZ35xTC3fNo8GJa6swPrZodSnjjIWPG6Th2YbsOEKTV1E8eGtJ2A +eyBd9jgG+B3cA/jw8EJHmpvy/buCw==

</syntaxhighlight>

To verify that the TLSA record matches the TLS certificate of the mail server, issue following openssl command

# openssl s_client -connect mx1.example.org:25 -starttls smtp -dane_tlsa_domain mx1.example.org -dane_tlsa_rrdata "3 1 1 7f59d873a70e224b184c95a4eb54caa9621e47d48b4a25d312d83d96"

[...]

Verify return code: 0 (ok)

[...]

</syntaxhighlight>

Replace the hostnames and the TLSA hash according to your configuration.

=== Managing users and inboxes ===

@@ Line 124: / Line 124: @@
 Replace the IP <code>1.2.3.4</code> with the IP of your mail server.
-=== MTA-STS & DANE ===
+=== MTA-STS ===
 MTA-STS enforces secure TLS configuration for servers which support this standard. We already advertised this feature in the DNS records above, but we also have to serve a static configuration file using a web server. We use the web server [[Caddy]] to do this but of course you can [[Category:Web_Servers use others too]].
@@ Line 150: / Line 150: @@
 Replace the domain <code>mta-sts.example.org</code> and  the domain <code>mx1.example.org</code> with the ones you're using.
+=== TLSA (DANE) ===
 Using a TLSA (DANE) record is recommended to bind TLS-certificates to a server. Your nameserver needs DNSSEC support for it. You can generate the key using following command
@@ Line 181: / Line 183: @@
 _25._tcp.mx1.example.org. 10800 IN RRSIG	TLSA 13 5 10800 20230601000000 20230511000000 39688 example.org. He9VYZ35xTC3fNo8GJa6swPrZodSnjjIWPG6Th2YbsOEKTV1E8eGtJ2A +eyBd9jgG+B3cA/jw8EJHmpvy/buCw==
 </syntaxhighlight>
+To verify that the TLSA record matches the TLS certificate of the mail server, issue following openssl command
+<syntaxhighlight lang="console">
+# openssl s_client -connect mx1.example.org:25 -starttls smtp -dane_tlsa_domain mx1.example.org -dane_tlsa_rrdata "3 1 1 7f59d873a70e224b184c95a4eb54caa9621e47d48b4a25d312d83d96"
+[...]
+Verify return code: 0 (ok)
+[...]
+</syntaxhighlight>
+Replace the hostnames and the TLSA hash according to your configuration.
 === Managing users and inboxes ===