commit ac7eb3c3239c333fea2adb454fe6c04888e6fbef Author: ENDRENCE LETERNET Date: Sun Jun 8 13:52:10 2025 +0600 Initial commit diff --git a/.editorconfig b/.editorconfig new file mode 100644 index 0000000..7a74ec0 --- /dev/null +++ b/.editorconfig @@ -0,0 +1,22 @@ +# EditorConfig is awesome: https://EditorConfig.org + +# top-most EditorConfig file +root = true + +# Unix-style newlines with a newline ending every file +[*] +end_of_line = lf + +# CSV, Markdown, and Text files +[*.{csv,md,txt}] +trim_trailing_whitespace = true + +# JSON and XML files +[*.{json,xml,yml,code-workspace}] +indent_style = space +indent_size = 2 + +# Matches the exact file .editorconfig +[.editorconfig] +indent_style = space +indent_size = 2 diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..8f7bece --- /dev/null +++ b/.gitattributes @@ -0,0 +1,10 @@ +# Set the default behavior, in case people don't have core.autocrlf set. +* text=auto + +# Set svg to binary type, as SVG is unlikely to be editted by hand. Can be treated as checked in blob +*.svg binary + +# Denote all files that are truly binary and should not be modified. +*.png binary +*.jpg binary +*.pdf binary diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..7e98175 --- /dev/null +++ b/.gitignore @@ -0,0 +1,116 @@ +# Created by https://www.toptal.com/developers/gitignore/api/git,linux,macos,windows,visualstudiocode,dotenv +# Edit at https://www.toptal.com/developers/gitignore?templates=git,linux,macos,windows,visualstudiocode,dotenv + +### dotenv ### +.env + +### Git ### +# Created by git for backups. To disable backups in Git: +# $ git config --global mergetool.keepBackup false +*.orig + +# Created by git when using merge tools for conflicts +*.BACKUP.* +*.BASE.* +*.LOCAL.* +*.REMOTE.* +*_BACKUP_*.txt +*_BASE_*.txt +*_LOCAL_*.txt +*_REMOTE_*.txt + +### Linux ### +*~ + +# temporary files which can be created if a process still has a handle open of a deleted file +.fuse_hidden* + +# KDE directory preferences +.directory + +# Linux trash folder which might appear on any partition or disk +.Trash-* + +# .nfs files are created when an open file is removed but is still being accessed +.nfs* + +### macOS ### +# General +.DS_Store +.AppleDouble +.LSOverride + +# Icon must end with two \r +Icon + +# Thumbnails +._* + +# Files that might appear in the root of a volume +.DocumentRevisions-V100 +.fseventsd +.Spotlight-V100 +.TemporaryItems +.Trashes +.VolumeIcon.icns +.com.apple.timemachine.donotpresent + +# Directories potentially created on remote AFP share +.AppleDB +.AppleDesktop +Network Trash Folder +Temporary Items +.apdisk + +### macOS Patch ### +# iCloud generated files +*.icloud + +### VisualStudioCode ### +.vscode/* +!.vscode/settings.json +!.vscode/tasks.json +!.vscode/launch.json +!.vscode/extensions.json +!.vscode/*.code-snippets +!.vscode/PSScriptAnalyzerSettings.psd1 +!.vscode/PSScriptAnalyzerCustomRules.ps1 + +# Local History for Visual Studio Code +.history/ + +# Built Visual Studio Code Extensions +*.vsix + +### VisualStudioCode Patch ### +# Ignore all local history of files +.history +.ionide + +### Windows ### +# Windows thumbnail cache files +Thumbs.db +Thumbs.db:encryptable +ehthumbs.db +ehthumbs_vista.db + +# Dump file +*.stackdump + +# Folder config file +[Dd]esktop.ini + +# Recycle Bin used on file shares +$RECYCLE.BIN/ + +# Windows Installer files +*.cab +*.msi +*.msix +*.msm +*.msp + +# Windows shortcuts +*.lnk + +# End of https://www.toptal.com/developers/gitignore/api/git,linux,macos,windows,visualstudiocode,dotenv diff --git a/.markdownlint.json b/.markdownlint.json new file mode 100644 index 0000000..d0f88fc --- /dev/null +++ b/.markdownlint.json @@ -0,0 +1,6 @@ +{ + "MD012": false, + "MD013": false, + "MD033": false, + "MD041": false +} diff --git a/.nojekyll b/.nojekyll new file mode 100644 index 0000000..8b13789 --- /dev/null +++ b/.nojekyll @@ -0,0 +1 @@ + diff --git a/.well-known/index.html b/.well-known/index.html new file mode 100644 index 0000000..e1a2af3 --- /dev/null +++ b/.well-known/index.html @@ -0,0 +1,6 @@ + + + +Redirecting to mta-sts.txt + + diff --git a/.well-known/mta-sts.txt b/.well-known/mta-sts.txt new file mode 100644 index 0000000..8530a9e --- /dev/null +++ b/.well-known/mta-sts.txt @@ -0,0 +1,7 @@ +version: STSv1 +mode: [enforce|testing|none] # 1. Decide your mode. +mx: mx1.your_domain.tld # 2. Add your primary mailserver hostname (see MX records in your DNS) +mx: mx2.your_domain.tld # 3. If you have secondary mailservers, add one line for each. + # In case all servers share the same subdomain, you may also use wildcards like *.mail.protection.outlook.com +max_age: 1209600 # 4. Depending on your mode above, 1209600 seconds = 2 weeks might be a good value. + # 5. Remove all the comments (if that wasn't obvious to you). diff --git a/CODE_OF_CONDUCT.md b/CODE_OF_CONDUCT.md new file mode 100644 index 0000000..49bcb17 --- /dev/null +++ b/CODE_OF_CONDUCT.md @@ -0,0 +1,125 @@ +# Contributor Covenant Code of Conduct + +## Our Pledge + +We as members, contributors, and leaders pledge to make participation in our +community a harassment-free experience for everyone, regardless of age, body +size, visible or invisible disability, ethnicity, sex characteristics, gender +identity and expression, level of experience, education, socio-economic status, +nationality, personal appearance, race, religion, or sexual identity +and orientation. + +We pledge to act and interact in ways that contribute to an open, welcoming, +diverse, inclusive, and healthy community. + +## Our Standards + +Examples of behavior that contributes to a positive environment for our +community include: + +* Demonstrating empathy and kindness toward other people +* Being respectful of differing opinions, viewpoints, and experiences +* Giving and gracefully accepting constructive feedback +* Accepting responsibility and apologizing to those affected by our mistakes, + and learning from the experience +* Focusing on what is best not just for us as individuals, but for the + overall community + +Examples of unacceptable behavior include: + +* The use of sexualized language or imagery, and sexual attention or + advances of any kind +* Trolling, insulting or derogatory comments, and personal or political attacks +* Public or private harassment +* Publishing others' private information, such as a physical or email + address, without their explicit permission +* Other conduct which could reasonably be considered inappropriate in a + professional setting + +## Enforcement Responsibilities + +Community leaders are responsible for clarifying and enforcing our standards of +acceptable behavior and will take appropriate and fair corrective action in +response to any behavior that they deem inappropriate, threatening, offensive, +or harmful. + +Community leaders have the right and responsibility to remove, edit, or reject +comments, commits, code, wiki edits, issues, and other contributions that are +not aligned to this Code of Conduct, and will communicate reasons for moderation +decisions when appropriate. + +## Scope + +This Code of Conduct applies within all community spaces, and also applies when +an individual is officially representing the community in public spaces. +Examples of representing our community include using an official e-mail address, +posting via an official social media account, or acting as an appointed +representative at an online or offline event. + +## Enforcement + +Any instances of abuse, harassment, or otherwise unacceptable behavior may be +reported to the community leaders responsible for enforcement [here](https://github.com/jpawlowski/mta-sts.template#author). + +All complaints will be reviewed and investigated promptly and fairly. + +## Enforcement Guidelines + +Community leaders will follow these Community Impact Guidelines in determining +the consequences for any action they deem in violation of this Code of Conduct: + +### 1. Correction + +**Community Impact**: Use of inappropriate language or other behavior deemed +unprofessional or unwelcome in the community. + +**Consequence**: A private, written warning from community leaders, providing +clarity around the nature of the violation and an explanation of why the +behavior was inappropriate. A public apology may be requested. + +### 2. Warning + +**Community Impact**: A violation through a single incident or series +of actions. + +**Consequence**: A warning with consequences for continued behavior. No +interaction with the people involved, including unsolicited interaction with +those enforcing the Code of Conduct, for a specified period of time. This +includes avoiding interactions in community spaces as well as external channels +like social media. Violating these terms may lead to a temporary or +permanent ban. + +### 3. Temporary Ban + +**Community Impact**: A serious violation of community standards, including +sustained inappropriate behavior. + +**Consequence**: A temporary ban from any sort of interaction or public +communication with the community for a specified period of time. No public or +private interaction with the people involved, including unsolicited interaction +with those enforcing the Code of Conduct, is allowed during this period. +Violating these terms may lead to a permanent ban. + +### 4. Permanent Ban + +**Community Impact**: Demonstrating a pattern of violation of community +standards, including sustained inappropriate behavior, harassment of an +individual, or aggression toward or disparagement of classes of individuals. + +**Consequence**: A permanent ban from any sort of public interaction within +the community. + +## Attribution + +This Code of Conduct is adapted from the [Contributor Covenant][homepage], +version 2.0, available at +https://www.contributor-covenant.org/version/2/0/code_of_conduct.html. + +Community Impact Guidelines were inspired by [Mozilla's code of conduct +enforcement ladder](https://github.com/mozilla/diversity). + +[homepage]: https://www.contributor-covenant.org + +For answers to common questions about this code of conduct, see the FAQ at +https://www.contributor-covenant.org/faq. Translations are available at +https://www.contributor-covenant.org/translations. diff --git a/LICENSE.md b/LICENSE.md new file mode 100644 index 0000000..97734e4 --- /dev/null +++ b/LICENSE.md @@ -0,0 +1,21 @@ +MIT License + +Copyright @ 2024 Julian Pawlowski + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. diff --git a/README.md b/README.md new file mode 100644 index 0000000..7ebcc24 --- /dev/null +++ b/README.md @@ -0,0 +1,66 @@ +

+
+ 📩 A Template to host an MTA-STS Policy file on GitHub +
+

+ +

Use this template to host your MTA Strict Transport Security (MTA-STS) [RFC 8461] policy file on GitHub Pages.

+ +

+ How To Use • + License • + Author +

+ +MTA-STS is a security standard to secure e-mail delivery. E-mail servers that send inbound e-mail to your domain will be able to detect that your e-mail server supports SMTP-over-TLS via `STARTTLS` (also known as [Opportunistic TLS](https://en.wikipedia.org/wiki/Opportunistic_TLS)) before opening the actual connection. + +In case the sending e-mail server is not able to initiate a secure connection, it will end the connection to enforce transport layer encryption. This mitigates [Man-in-the-middle](https://en.wikipedia.org/wiki/Man-in-the-middle_attack) DNS and SMTP [downgrade attacks](https://en.wikipedia.org/wiki/Downgrade_attack) that would allow an attacker to read or manipulate e-mail in transit. + +## How To Use + +1. Make sure you are [signed in to GitHub](https://github.com/login). Then click on [**Use this template**](https://github.com/jpawlowski/mta-sts.template/generate) to create a copy to your own GitHub profile (see [GitHub Docs](https://docs.github.com/en/repositories/creating-and-managing-repositories/creating-a-repository-from-a-template)). Don't _clone_ the repository. + You may name your repository whatever you like. For simplicity, you can name it `mta-sts.`. + +2. Change the file `.well-known/mta-sts.txt` according to your needs. + +3. Create a `CNAME` record for `mta-sts.` in your domain's DNS that points to `.github.io` or `.github.io` and [enable GitHub Pages](https://docs.github.com/articles/using-a-custom-domain-with-github-pages/). + +4. Open a browser to `https://mta-sts.` and make sure it does not show any certificate warnings. + +5. Create a `TXT` record for `_mta-sts.` in your domain's DNS to enable the MTA-STS policy for your domain. + + You may copy & paste this to your DNS provider: + + ```dns + #HOST #TTL #TYPE #VALUE + _mta-sts 3600 TXT "v=STSv1; id=20220317000000Z" + ``` + + **Note that you will need to change the `id=` here whenever you make changes to your `mta-sts.txt` policy file.** + +6. Validate your setup, for example by using the [MTA-STS Lookup by MXToolBox](https://mxtoolbox.com/mta-sts.aspx), or looking into your [Hardenize Public Report](https://www.hardenize.com/). + +_Optional (but **highly recommended**):_ + +7. Create another `TXT` record for `_smtp._tls.` in your domain's DNS to enable reporting (see [RFC 8460](https://datatracker.ietf.org/doc/html/rfc8460)). + You may copy & paste this to your DNS provider: + + ```dns + #HOST #TTL #TYPE #VALUE + _smtp._tls 3600 TXT "v=TLSRPTv1; rua=mailto:tls-rua@mailcheck." + ``` + + Note that the e-mail recipient mailbox shall be on a different domain _without_ MTA-STS being configured. This could be a subdomain like `mailcheck.`. + It is also quite painful to manually deal with the reports other e-mail providers will send to you. For that particular reason, you may want to consider sending these e-mails to a 3rd-party tool like [Report URI](https://report-uri.com/), [URIports](https://www.uriports.com/), or from other commercial providers. + + You probably want this to be the same tool you might use for DMARC reports, like [DMARC Analyzer](https://www.dmarcanalyzer.com/) or [Dmarcian](https://dmarcian.com/). + +## License + +[MIT License](https://github.com/jpawlowski/mta-sts.template/blob/gh-pages/LICENSE) + +## Author + +[julian.pawlowski.me](https://julian.pawlowski.me/)  ·  +GitHub [@jpawlowski](https://github.com/jpawlowski/mta-sts.template)  ·  +Mastodon [@Loredo@chaos.social](https://chaos.social/@Loredo) diff --git a/_config.yml b/_config.yml new file mode 100644 index 0000000..68730c9 --- /dev/null +++ b/_config.yml @@ -0,0 +1 @@ +include: [".well-known"] diff --git a/index.html b/index.html new file mode 100644 index 0000000..a6781ba --- /dev/null +++ b/index.html @@ -0,0 +1,6 @@ + + + +Redirecting to .well-known/mta-sts.txt + + diff --git a/robots.txt b/robots.txt new file mode 100644 index 0000000..1f53798 --- /dev/null +++ b/robots.txt @@ -0,0 +1,2 @@ +User-agent: * +Disallow: /