cPanel – Configuring Mail Transfer Agent Strict Transport Security (MTA-STS)
For further explanation read the following article: configuring-mail-transfer-agent-strict-transport-security-mta-sts.
Step 1: DNS TXT Record Configuration
Add a TXT record to your domain’s DNS settings:
_mta-sts.your-domain IN TXT "v=STSv1; id=12345678"
v=version, currently v1; id <32 characters when changing policy.
Step 2: Create a DNS A Record Configuration
mta-sts.your-domain IN A "1.2.3.4"
Step 3: Policy File Configuration
Create an mta-sts.txt
file in your web server’s sub domain .well-known:
/home/your-domain/public_html/mta-sts/.well-known
mkdir
version: STSv1
mode: enforce
mx: mail1.your-domain
mx: mail2.your-domain
max_age: 604800
Step 4: TLS Reporting (Optional)
If you want to receive reports on failed TLS connections, add another TXT record to your DNS:
_mta-sts.your-domain IN TXT "v=TLSRPTv1; rua=mailto:tlsrpt@your-domain"
Step 5: Secure Web Server Configuration
Ensure your web server is configured to serve the mta-sts.txt
file over HTTPS:
Genererate a valid SSL with OpenSSL or Let’s Encrypt
Step 6: Test and Verify
After setting up, wait for DNS propagation, then test:
- Use a web browser to access
https://mta-sts.your-domain/.well-known/mta-sts.txt
to ensure the policy file is accessible. - Check with online tools or your email provider to verify MTA-STS is correctly configured.
Conclusion
By implementing MTA-STS, you significantly enhance your email server’s security by ensuring that all incoming emails use TLS encryption. Remember to keep your certificates up to date and monitor your TLS reports for any issues. This step not only protects your communications but also builds trust with senders, ensuring that your domain is seen as secure and reliable.
Source : https://www.rfc-editor.org/rfc/pdfrfc/rfc8461.txt.pdf