Maddy: Difference between revisions

Line 66:

Now that your server also runs a DNS daemon besides the mail server, you have to configure it as the external nameserver of your domain <code>example.org</code>. Please consult your domain provider on how to do that.

=== MTA-STS ===

=== MTA-STS & DANE ===

MTA-STS enforces secure TLS configuration for servers which support this standard. We already advertised this feature in the DNS records above, but we also have to serve a static configuration file using a web server. We use the web server [[Caddy]] to do this but of course you can [[Category:Web_Servers use others too]].

Line 92:

Replace the domain <code>mta-sts.example.org</code> and the domain <code>mx1.example.org</code> with the ones you're using.

Using a TLSA (DANE) record is recommended to bind TLS-certificates to a server. You can generate the key using following command

nix shell nixpkgs#hash-slinger --command tlsa --create faecherstadt-consulting.de

</syntaxhighlight>

Your nameserver needs DNSSEC support for it. Add the key to a new TLSA record in your nameserver

{{file|/etc/nixos/configuration.nix|nix|<nowiki>

services.nsd.zones."example.org.".data = ''

[...]

_25._tcp.mx1.example.org. TLSA 3 1 1 7f59d873a70e224b184c95a4eb54caa9621e47d48b4a25d312d83d96e3498238

'';

</nowiki>}}

=== Managing users and inboxes ===

@@ Line 66: / Line 66: @@
 Now that your server also runs a DNS daemon besides the mail server, you have to configure it as the external nameserver of your domain <code>example.org</code>. Please consult your domain provider on how to do that.
-=== MTA-STS ===
+=== MTA-STS & DANE ===
 MTA-STS enforces secure TLS configuration for servers which support this standard. We already advertised this feature in the DNS records above, but we also have to serve a static configuration file using a web server. We use the web server [[Caddy]] to do this but of course you can [[Category:Web_Servers use others too]].
@@ Line 92: / Line 92: @@
 Replace the domain <code>mta-sts.example.org</code> and  the domain <code>mx1.example.org</code> with the ones you're using.
+Using a TLSA (DANE) record is recommended to bind TLS-certificates to a server. You can generate the key using following command
+<syntaxhighlight lang="console">
+nix shell nixpkgs#hash-slinger --command tlsa --create faecherstadt-consulting.de
+</syntaxhighlight>
+Your nameserver needs DNSSEC support for it. Add the key to a new TLSA record in your nameserver
+{{file|/etc/nixos/configuration.nix|nix|<nowiki>
+services.nsd.zones."example.org.".data = ''
+  [...]
+  _25._tcp.mx1.example.org. TLSA 3 1 1 7f59d873a70e224b184c95a4eb54caa9621e47d48b4a25d312d83d96e3498238
+'';
+</nowiki>}}
 === Managing users and inboxes ===