diff --git a/GEMINI.md b/GEMINI.md new file mode 100644 index 0000000..b55a09d --- /dev/null +++ b/GEMINI.md @@ -0,0 +1,27 @@ +# GEMINI.md + +## Directory Overview + +This directory contains the necessary files to host a Mail Transport Agent Strict Transport Security (MTA-STS) policy on GitHub Pages. The purpose of this project is to provide a simple and effective way to publish an MTA-STS policy, which helps to secure email delivery by enforcing TLS encryption. + +This is not a code project but rather a configuration-based setup for serving a static policy file. + +## Key Files + +* `.well-known/mta-sts.txt`: This is the core MTA-STS policy file. It defines the MTA-STS policy mode, mail servers, and the maximum age of the policy. +* `CNAME`: This file specifies the custom domain (`mta-sts.lewsion.com`) that is used for the GitHub Pages site. +* `index.html`: This file acts as a simple redirect to the `mta-sts.txt` policy file, ensuring that visitors to the root of the site are directed to the policy. +* `_config.yml`: This is a Jekyll configuration file that is used by GitHub Pages. In this project, it is configured to ensure that the `.well-known` directory is included when the site is built. +* `README.md`: This file provides detailed instructions on how to use this repository as a template to host your own MTA-STS policy. + +## Usage + +The contents of this directory are intended to be used as a template for publishing an MTA-STS policy. To use this project, you would typically: + +1. Fork this repository or use it as a template. +2. Modify the `.well-known/mta-sts.txt` file to reflect your own mail server configuration and desired policy. +3. Update the `CNAME` file with your own custom domain. +4. Configure your domain's DNS settings to point to the GitHub Pages site. +5. Create the necessary `_mta-sts` DNS TXT records to enable the policy. + +The `README.md` file contains a comprehensive guide on how to perform these steps. diff --git a/QWEN.md b/QWEN.md new file mode 100644 index 0000000..8189583 --- /dev/null +++ b/QWEN.md @@ -0,0 +1,69 @@ +# MTA-STS Policy Template - Project Context + +## Project Overview + +This is a template repository for hosting MTA-STS (Mail Transfer Agent Strict Transport Security) policy files on GitHub Pages. The project allows users to create and host their MTA-STS policy file (`.well-known/mta-sts.txt`) to secure email delivery by enforcing SMTP-over-TLS connections. + +MTA-STS is a security standard that enables domain owners to declare their email server's support for encrypted SMTP connections. When properly configured, it mitigates man-in-the-middle attacks by instructing sending email servers to only connect via encrypted channels. + +## Repository Structure + +- `.well-known/` - Contains the MTA-STS policy file served at the well-known location + - `mta-sts.txt` - The actual MTA-STS policy file that defines how email should be delivered +- `index.html` - Redirects visitors to the MTA-STS policy file +- `_config.yml` - Jekyll configuration to include the `.well-known` directory in builds +- `CNAME` - Defines the custom domain for GitHub Pages +- Various configuration and documentation files for GitHub Pages hosting + +## Key Files and Configuration + +### MTA-STS Policy File (`.well-known/mta-sts.txt`) + +The current policy file contains: + +```txt +version: STSv1 +mode: enforce +mx: mx1.forwardemail.net +mx: mx2.forwardemail.net +max_age: 604800 +``` + +This policy enforces encrypted connections to the specified MX servers for one week (604800 seconds). + +### Domain Configuration + +- The `CNAME` file points to `mta-sts.lewsion.com`, indicating the domain for which this MTA-STS policy is configured. +- GitHub Pages serves this repository at that domain via DNS CNAME record. + +### Jekyll Configuration + +- `_config.yml` includes the `.well-known` directory in the GitHub Pages build, which is necessary for the MTA-STS policy file to be served at the correct path. + +## Setup and Usage Instructions + +1. Fork or create a repository from this template +2. Modify `.well-known/mta-sts.txt` with your own MX server details +3. Set up a CNAME DNS record pointing `mta-sts.yourdomain.com` to `yourusername.github.io` +4. Configure GitHub Pages with your custom domain +5. Add a TXT DNS record `_mta-sts.yourdomain.com` with your policy ID to enable MTA-STS for your domain +6. Optionally configure TLS reporting with a `_smtp._tls.yourdomain.com` TXT record + +## Development Conventions + +- This is a static site that gets served via GitHub Pages +- The `.well-known/mta-sts.txt` file should follow RFC 8461 specification +- Policy IDs in DNS TXT records need to be updated when the MTA-STS policy file changes +- The repository uses Jekyll for GitHub Pages hosting + +## Security Considerations + +- The MTA-STS policy enforces TLS encryption for email delivery +- Proper domain validation is required to prevent unauthorized modification of MTA-STS policies +- The `max_age` directive controls how long the policy remains in effect before requiring re-verification + +## Testing and Validation + +- Visit `https://mta-sts.yourdomain.com` to verify the policy file is accessible +- Use tools like MXToolBox MTA-STS Lookup or Hardenize to validate your implementation +- Monitor TLS reports if you implement the optional TLS reporting configuration