Hello everyone,
- MTA-STS (Mail Transfer Agent Strict Transport Security) -
How do I generate /sett wildcard LETSENCRYPT cert. or generate one for mta-sts.domain.name in order to get compliant with the Mail Transfer Agent Strict Transport Security email policy?
I have free web hosting with 100MB and 5GB E-mail with OVH and that is plenty for this domain/project, but as e-mail is important part of the domain I would like to have the MTA-STS set up properly and without the wildcard cert for the domain or valid mta-sts.domain.name cert, the MTA-STS does not work and the subdomain picks up cert for cluster0XX.hosting.ovh.net when requesting:
https://mta-sts.domain.name/.well-known/mta-sts.txt
I have looked around but was unable to find settings that would allow me to do so.
To explain how to set-up MTA-STS one needs to:
1] Create sub-domain name "mta-sts"
mta-sts.domain.name.
CNAME
@
2] Generate SSL Certificates for subdomain (if not using * - wildcard cert on the website):
"mta-sts.domain.name"
3] Create DNS TXT record:
_mta-sts
TXT
version: STSv1
mode: enforce
mx: mx1.mail.ovh.net
mx: mx2.mail.ovh.net
mx: mx3.mail.ovh.net
max_age: 604800
4] Create ".well-known/mta-sts.txt" file in:
https://mta-sts.domain.name/.well-known/mta-sts.txt
with the following text:
version: STSv1
mode: enforce
mx: mx1.mail.ovh.net
mx: mx2.mail.ovh.net
mx: mx3.mail.ovh.net
max_age: 86401
5] When you at this, you should also consider creating TLS-RPT
_smtp._tls
TXT
v=TLSRPTv1; rua=mailto:tls-report@domain.name,mailto:mts-sts@domain.name