Lewsion/mta-sts
3
0
Fork 0
mirror of https://github.com/Lewsion/mta-sts.git synced 2025-12-22 01:25:47 +00:00
Code Issues Packages Projects Releases Wiki Activity

Initial commit

Browse Source
This commit is contained in:
Endrence Leternet
2025-06-08 13:52:10 +06:00
committed by GitHub
commit ac7eb3c323
13 changed files with 389 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
.editorconfig Normal file
View File

@@ -0,0 +1,22 @@
# EditorConfig is awesome: https://EditorConfig.org
# top-most EditorConfig file
root = true
# Unix-style newlines with a newline ending every file
[*]
end_of_line = lf
# CSV, Markdown, and Text files
[*.{csv,md,txt}]
trim_trailing_whitespace = true
# JSON and XML files
[*.{json,xml,yml,code-workspace}]
indent_style = space
indent_size = 2
# Matches the exact file .editorconfig
[.editorconfig]
indent_style = space
indent_size = 2

10
.gitattributes vendored Normal file
View File

@@ -0,0 +1,10 @@
# Set the default behavior, in case people don't have core.autocrlf set.
* text=auto
# Set svg to binary type, as SVG is unlikely to be editted by hand. Can be treated as checked in blob
*.svg binary
# Denote all files that are truly binary and should not be modified.
*.png binary
*.jpg binary
*.pdf binary

116
.gitignore vendored Normal file
View File

@@ -0,0 +1,116 @@
# Created by https://www.toptal.com/developers/gitignore/api/git,linux,macos,windows,visualstudiocode,dotenv
# Edit at https://www.toptal.com/developers/gitignore?templates=git,linux,macos,windows,visualstudiocode,dotenv
### dotenv ###
.env
### Git ###
# Created by git for backups. To disable backups in Git:
# $ git config --global mergetool.keepBackup false
*.orig
# Created by git when using merge tools for conflicts
*.BACKUP.*
*.BASE.*
*.LOCAL.*
*.REMOTE.*
*_BACKUP_*.txt
*_BASE_*.txt
*_LOCAL_*.txt
*_REMOTE_*.txt
### Linux ###
*~
# temporary files which can be created if a process still has a handle open of a deleted file
.fuse_hidden*
# KDE directory preferences
.directory
# Linux trash folder which might appear on any partition or disk
.Trash-*
# .nfs files are created when an open file is removed but is still being accessed
.nfs*
### macOS ###
# General
.DS_Store
.AppleDouble
.LSOverride
# Icon must end with two \r
Icon
# Thumbnails
._*
# Files that might appear in the root of a volume
.DocumentRevisions-V100
.fseventsd
.Spotlight-V100
.TemporaryItems
.Trashes
.VolumeIcon.icns
.com.apple.timemachine.donotpresent
# Directories potentially created on remote AFP share
.AppleDB
.AppleDesktop
Network Trash Folder
Temporary Items
.apdisk
### macOS Patch ###
# iCloud generated files
*.icloud
### VisualStudioCode ###
.vscode/*
!.vscode/settings.json
!.vscode/tasks.json
!.vscode/launch.json
!.vscode/extensions.json
!.vscode/*.code-snippets
!.vscode/PSScriptAnalyzerSettings.psd1
!.vscode/PSScriptAnalyzerCustomRules.ps1
# Local History for Visual Studio Code
.history/
# Built Visual Studio Code Extensions
*.vsix
### VisualStudioCode Patch ###
# Ignore all local history of files
.history
.ionide
### Windows ###
# Windows thumbnail cache files
Thumbs.db
Thumbs.db:encryptable
ehthumbs.db
ehthumbs_vista.db
# Dump file
*.stackdump
# Folder config file
[Dd]esktop.ini
# Recycle Bin used on file shares
$RECYCLE.BIN/
# Windows Installer files
*.cab
*.msi
*.msix
*.msm
*.msp
# Windows shortcuts
*.lnk
# End of https://www.toptal.com/developers/gitignore/api/git,linux,macos,windows,visualstudiocode,dotenv

6
.markdownlint.json Normal file
View File

@@ -0,0 +1,6 @@
{
"MD012": false,
"MD013": false,
"MD033": false,
"MD041": false
}

1
.nojekyll Normal file
View File

@@ -0,0 +1 @@

6
.well-known/index.html Normal file
View File

@@ -0,0 +1,6 @@
<!DOCTYPE html>
<meta charset="utf-8">
<meta name="robots" content="noindex">
<title>Redirecting to mta-sts.txt</title>
<meta http-equiv="refresh" content="0; URL=mta-sts.txt">
<link rel="canonical" href="mta-sts.txt">

7
.well-known/mta-sts.txt Normal file
View File

@@ -0,0 +1,7 @@
version: STSv1
mode: [enforce|testing|none] # 1. Decide your mode.
mx: mx1.your_domain.tld # 2. Add your primary mailserver hostname (see MX records in your DNS)
mx: mx2.your_domain.tld # 3. If you have secondary mailservers, add one line for each.
# In case all servers share the same subdomain, you may also use wildcards like *.mail.protection.outlook.com
max_age: 1209600 # 4. Depending on your mode above, 1209600 seconds = 2 weeks might be a good value.
# 5. Remove all the comments (if that wasn't obvious to you).

125
CODE_OF_CONDUCT.md Normal file
View File

@@ -0,0 +1,125 @@
# Contributor Covenant Code of Conduct
## Our Pledge
We as members, contributors, and leaders pledge to make participation in our
community a harassment-free experience for everyone, regardless of age, body
size, visible or invisible disability, ethnicity, sex characteristics, gender
identity and expression, level of experience, education, socio-economic status,
nationality, personal appearance, race, religion, or sexual identity
and orientation.
We pledge to act and interact in ways that contribute to an open, welcoming,
diverse, inclusive, and healthy community.
## Our Standards
Examples of behavior that contributes to a positive environment for our
community include:
* Demonstrating empathy and kindness toward other people
* Being respectful of differing opinions, viewpoints, and experiences
* Giving and gracefully accepting constructive feedback
* Accepting responsibility and apologizing to those affected by our mistakes,
and learning from the experience
* Focusing on what is best not just for us as individuals, but for the
overall community
Examples of unacceptable behavior include:
* The use of sexualized language or imagery, and sexual attention or
advances of any kind
* Trolling, insulting or derogatory comments, and personal or political attacks
* Public or private harassment
* Publishing others' private information, such as a physical or email
address, without their explicit permission
* Other conduct which could reasonably be considered inappropriate in a
professional setting
## Enforcement Responsibilities
Community leaders are responsible for clarifying and enforcing our standards of
acceptable behavior and will take appropriate and fair corrective action in
response to any behavior that they deem inappropriate, threatening, offensive,
or harmful.
Community leaders have the right and responsibility to remove, edit, or reject
comments, commits, code, wiki edits, issues, and other contributions that are
not aligned to this Code of Conduct, and will communicate reasons for moderation
decisions when appropriate.
## Scope
This Code of Conduct applies within all community spaces, and also applies when
an individual is officially representing the community in public spaces.
Examples of representing our community include using an official e-mail address,
posting via an official social media account, or acting as an appointed
representative at an online or offline event.
## Enforcement
Any instances of abuse, harassment, or otherwise unacceptable behavior may be
reported to the community leaders responsible for enforcement [here](https://github.com/jpawlowski/mta-sts.template#author).
All complaints will be reviewed and investigated promptly and fairly.
## Enforcement Guidelines
Community leaders will follow these Community Impact Guidelines in determining
the consequences for any action they deem in violation of this Code of Conduct:
### 1. Correction
**Community Impact**: Use of inappropriate language or other behavior deemed
unprofessional or unwelcome in the community.
**Consequence**: A private, written warning from community leaders, providing
clarity around the nature of the violation and an explanation of why the
behavior was inappropriate. A public apology may be requested.
### 2. Warning
**Community Impact**: A violation through a single incident or series
of actions.
**Consequence**: A warning with consequences for continued behavior. No
interaction with the people involved, including unsolicited interaction with
those enforcing the Code of Conduct, for a specified period of time. This
includes avoiding interactions in community spaces as well as external channels
like social media. Violating these terms may lead to a temporary or
permanent ban.
### 3. Temporary Ban
**Community Impact**: A serious violation of community standards, including
sustained inappropriate behavior.
**Consequence**: A temporary ban from any sort of interaction or public
communication with the community for a specified period of time. No public or
private interaction with the people involved, including unsolicited interaction
with those enforcing the Code of Conduct, is allowed during this period.
Violating these terms may lead to a permanent ban.
### 4. Permanent Ban
**Community Impact**: Demonstrating a pattern of violation of community
standards, including sustained inappropriate behavior, harassment of an
individual, or aggression toward or disparagement of classes of individuals.
**Consequence**: A permanent ban from any sort of public interaction within
the community.
## Attribution
This Code of Conduct is adapted from the [Contributor Covenant][homepage],
version 2.0, available at
https://www.contributor-covenant.org/version/2/0/code_of_conduct.html.
Community Impact Guidelines were inspired by [Mozilla's code of conduct
enforcement ladder](https://github.com/mozilla/diversity).
[homepage]: https://www.contributor-covenant.org
For answers to common questions about this code of conduct, see the FAQ at
https://www.contributor-covenant.org/faq. Translations are available at
https://www.contributor-covenant.org/translations.

21
LICENSE.md Normal file
View File

@@ -0,0 +1,21 @@
MIT License
Copyright @ 2024 Julian Pawlowski
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.

66
README.md Normal file
View File

@@ -0,0 +1,66 @@
<h1 align="center">
<br>
📩 A Template to host an MTA-STS Policy file on GitHub
<br>
</h1>
<h4 align="center">Use this template to host your <i>MTA Strict Transport Security (MTA-STS)</i> <a href="https://datatracker.ietf.org/doc/html/rfc8461">[RFC 8461]</a> policy file on GitHub Pages.</h4>
<p align="center">
<a href="#how-to-use">How To Use</a> •
<a href="#license">License</a> •
<a href="#author">Author</a>
</p>
MTA-STS is a security standard to secure e-mail delivery. E-mail servers that send inbound e-mail to your domain will be able to detect that your e-mail server supports SMTP-over-TLS via `STARTTLS` (also known as [Opportunistic TLS](https://en.wikipedia.org/wiki/Opportunistic_TLS)) before opening the actual connection.
In case the sending e-mail server is not able to initiate a secure connection, it will end the connection to enforce transport layer encryption. This mitigates [Man-in-the-middle](https://en.wikipedia.org/wiki/Man-in-the-middle_attack) DNS and SMTP [downgrade attacks](https://en.wikipedia.org/wiki/Downgrade_attack) that would allow an attacker to read or manipulate e-mail in transit.
## How To Use
1. Make sure you are [signed in to GitHub](https://github.com/login). Then click on [**Use this template**](https://github.com/jpawlowski/mta-sts.template/generate) to create a copy to your own GitHub profile (see [GitHub Docs](https://docs.github.com/en/repositories/creating-and-managing-repositories/creating-a-repository-from-a-template)). Don't _clone_ the repository.
You may name your repository whatever you like. For simplicity, you can name it `mta-sts.<your_domain.tld>`.
2. Change the file `.well-known/mta-sts.txt` according to your needs.
3. Create a `CNAME` record for `mta-sts.<your_domain.tld>` in your domain's DNS that points to `<your_username>.github.io` or `<your_organization>.github.io` and [enable GitHub Pages](https://docs.github.com/articles/using-a-custom-domain-with-github-pages/).
4. Open a browser to `https://mta-sts.<your_domain.tld>` and make sure it does not show any certificate warnings.
5. Create a `TXT` record for `_mta-sts.<your_domain.tld>` in your domain's DNS to enable the MTA-STS policy for your domain.
You may copy & paste this to your DNS provider:
```dns
#HOST #TTL #TYPE #VALUE
_mta-sts 3600 TXT "v=STSv1; id=20220317000000Z"
```
**Note that you will need to change the `id=` here whenever you make changes to your `mta-sts.txt` policy file.**
6. Validate your setup, for example by using the [MTA-STS Lookup by MXToolBox](https://mxtoolbox.com/mta-sts.aspx), or looking into your [Hardenize Public Report](https://www.hardenize.com/).
_Optional (but **highly recommended**):_
7. Create another `TXT` record for `_smtp._tls.<your_domain.tld>` in your domain's DNS to enable reporting (see [RFC 8460](https://datatracker.ietf.org/doc/html/rfc8460)).
You may copy & paste this to your DNS provider:
```dns
#HOST #TTL #TYPE #VALUE
_smtp._tls 3600 TXT "v=TLSRPTv1; rua=mailto:tls-rua@mailcheck.<your_domain.tld>"
```
Note that the e-mail recipient mailbox shall be on a different domain _without_ MTA-STS being configured. This could be a subdomain like `mailcheck.<your_domain.tld>`.
It is also quite painful to manually deal with the reports other e-mail providers will send to you. For that particular reason, you may want to consider sending these e-mails to a 3rd-party tool like [Report URI](https://report-uri.com/), [URIports](https://www.uriports.com/), or from other commercial providers.
You probably want this to be the same tool you might use for DMARC reports, like [DMARC Analyzer](https://www.dmarcanalyzer.com/) or [Dmarcian](https://dmarcian.com/).
## License
[MIT License](https://github.com/jpawlowski/mta-sts.template/blob/gh-pages/LICENSE)
## Author
[julian.pawlowski.me](https://julian.pawlowski.me/) &nbsp;&middot;&nbsp;
GitHub [@jpawlowski](https://github.com/jpawlowski/mta-sts.template) &nbsp;&middot;&nbsp;
Mastodon [@Loredo@chaos.social](https://chaos.social/@Loredo)

1
_config.yml Normal file
View File

@@ -0,0 +1 @@
include: [".well-known"]

6
index.html Normal file
View File

@@ -0,0 +1,6 @@
<!DOCTYPE html>
<meta charset="utf-8">
<meta name="robots" content="noindex">
<title>Redirecting to .well-known/mta-sts.txt</title>
<meta http-equiv="refresh" content="0; URL=.well-known/mta-sts.txt">
<link rel="canonical" href=".well-known/mta-sts.txt">

2
robots.txt Normal file
View File

@@ -0,0 +1,2 @@
User-agent: *
Disallow: /