From 158b14d555dde2b7a13fa235021a60cd52c6095e Mon Sep 17 00:00:00 2001 From: Julie Zhao Date: Tue, 7 May 2024 14:51:45 -0400 Subject: [PATCH 01/16] add support pages for MTA-STS in Momentum --- .../4/config/mta-sts/enable-mta-sts.md | 31 +++++++ .../mta-sts/mta-sts-dns-cname-max-depth.md | 31 +++++++ .../4/config/mta-sts/mta-sts-policy-store.md | 29 ++++++ .../momentum/4/config/mta-sts/use-mta-sts.md | 27 ++++++ content/momentum/4/mta-sts.md | 91 +++++++++++++++++++ 5 files changed, 209 insertions(+) create mode 100644 content/momentum/4/config/mta-sts/enable-mta-sts.md create mode 100644 content/momentum/4/config/mta-sts/mta-sts-dns-cname-max-depth.md create mode 100644 content/momentum/4/config/mta-sts/mta-sts-policy-store.md create mode 100644 content/momentum/4/config/mta-sts/use-mta-sts.md create mode 100644 content/momentum/4/mta-sts.md diff --git a/content/momentum/4/config/mta-sts/enable-mta-sts.md b/content/momentum/4/config/mta-sts/enable-mta-sts.md new file mode 100644 index 00000000..701539ba --- /dev/null +++ b/content/momentum/4/config/mta-sts/enable-mta-sts.md @@ -0,0 +1,31 @@ +--- +lastUpdated: "06/01/2024" +title: "enable_mta_sts" +description: "config option to enable MTA-STS policy application for outbound mails" +--- + + +## Name + +enable_mta_sts — specify whether Momentum should apply MTA-STS policies on outbound email sending + +## Synopsis + +`enable_mta_sts = "true|false"` + +## Description + +This option is only effective when [use_mta_sts](/momentum/4/config/mta-sts/use-mta-sts) is `true` +for a recipient domain. +This option specified whether Momentum try to apply the retrieved MTA-STS policies when sending +emails to a remote site. See [mta-sts](/momentum/4/mta-sts) for more details. +When this option is `true`, the MTA-STS policy mode will take the preference over the config options + of [TLS](/momentum/4.config/tls) and [TLS_Verify](/momentum/4/config/tls-verify), unless the + MTA-STS policy mode is `none`. + +The default value is `true` when the domain level `use_mta_sts` is `true`. + + +## Scope + +`enable_mta_sts` is valid in the binding, binding_group, domain and global scopes. diff --git a/content/momentum/4/config/mta-sts/mta-sts-dns-cname-max-depth.md b/content/momentum/4/config/mta-sts/mta-sts-dns-cname-max-depth.md new file mode 100644 index 00000000..563b8ac0 --- /dev/null +++ b/content/momentum/4/config/mta-sts/mta-sts-dns-cname-max-depth.md @@ -0,0 +1,31 @@ +--- +lastUpdated: "06/01/2024" +title: "mta_sts_dns_cname_max_depth" +description: "config option on how many continous cname lookups are allowed when doing MTA-STS TXT +record lookup for a domain" +--- + + +## Name + +mta_sts_dns_cname_max_depth — specifies how many continous cname lookups are allowed when doing DNS + lookups for MTA-STS TXT record for a domain. Exceeding the configured value will be treated as a DNS + lookup failure, which will be further treated as no MTA-STS policy available. + +## Synopsis + +`mta_sts_dns_cname_max_depth = 5` + +## Description + +Momentum supports MTA-STS policy delegation, which points the `_mta-sts` TXT record for the policy + domain via `CNAME` (to the `_mta-sts` record maintained by the provider). Momentum's DNS lookup + will follow the `CNAME`s. To avoid a DNS lookup loop, Momentum uses this config option to limit how + many continuous `CNAME` lookups can happen before claiming a lookup failure. + +The default value is `5`. + + +## Scope + +`mta_sts_dns_cname_max_depth` is valid in the domain and global scopes. diff --git a/content/momentum/4/config/mta-sts/mta-sts-policy-store.md b/content/momentum/4/config/mta-sts/mta-sts-policy-store.md new file mode 100644 index 00000000..662d6d26 --- /dev/null +++ b/content/momentum/4/config/mta-sts/mta-sts-policy-store.md @@ -0,0 +1,29 @@ +--- +lastUpdated: "06/01/2024" +title: "mta_sts_policy_store" +description: "the location to store the MTA-STS policy" +--- + + +## Name + +mta_sts_policy_store — specifies how many continous cname lookups are allowed when doing DNS + lookups for MTA-STS TXT record for a domain. Exceeding the configured value will be treated as a DNS + lookup failure, which will be further treated as no MTA-STS policy available. + +## Synopsis + +`mta_sts_policy_store = "/var/spool/ecelerity/mtasts"` + +## Description + +Momentum stores MTA-STS policy for a domain in file on disk, and accesses the HTTPS endpoint to refresh the + policy once every 24 hours. This config option specifies the directory where the policies are stored + on the disk. + +The default value is `/var/spool/ecelerity/mtasts`. + + +## Scope + +`mta_sts_dns_cname_max_depth` is valid in the global scope. diff --git a/content/momentum/4/config/mta-sts/use-mta-sts.md b/content/momentum/4/config/mta-sts/use-mta-sts.md new file mode 100644 index 00000000..7640fd60 --- /dev/null +++ b/content/momentum/4/config/mta-sts/use-mta-sts.md @@ -0,0 +1,27 @@ +--- +lastUpdated: "06/01/2024" +title: "use_mta_sts" +description: "config option to enable MTA-STS policy fetching for a domain" +--- + + +## Name + +use_mta_sts — specify whether Momentum should do MTA-STS policy fetching for a domain or not + +## Synopsis + +`use_mta_sts = "true|false"` + +## Description + +This option specified whether Momentum shall attempt to discover the recipient domain's MTA-STS + policy (via a DNS lookup to retrieve the MTA-STS policy ID and a HTTPS lookup to retrieve the + MTA-STS policy) + +The default value is `false`. + + +## Scope + +`use_mta_sts` is valid in the domain and global scopes. diff --git a/content/momentum/4/mta-sts.md b/content/momentum/4/mta-sts.md new file mode 100644 index 00000000..498a225c --- /dev/null +++ b/content/momentum/4/mta-sts.md @@ -0,0 +1,91 @@ +--- +lastUpdated: "06/01/2024" +title: "MTA-STS support in Momentum" +description: "MTA-STS support in Momentum" +--- + +MTA-STS (MTA Strict Transport Security) improves email security by requiring authentication +checks and encryption for delivering email. RFC 8461 describes the use of MTA-STS for improving +SMTP security between MTAs. + +If the per-domain config option [use_mta_sts](/momentum/4/config/mta-sts/use-mta-sts) is set to `true`, + Momentum will attempt to discover the recipient domain's MTA-STS policy + (via a DNS lookup to retrieve the MTA-STS policy ID and a HTTPS lookup to retrieve the + MTA-STS policy) and use it for validating the connection to the remote site. + If the recipient domain enforces MTA-STS, Momentum delivers email to the remote +domain's MX if and only if the following conditions are satisfied: + - remote site matches at least one of the MX patterns defined in the recipient domain's MTA-STS + policy + - connection to remote site can be encrypted (via the use of STARTTLS) + - Momentum can authenticate both - the certificate chain presented by the server on the connection + and server name in the certificate + +For verifying certificates, Momentum use the configured CA for outbound email defined by + [TLS_CA](/momentum/4/config/tls-ca). + Momentum does not currently check for certificate revocation via the Online Certificate Status +Protocol (RFC 6960). + +Momentum caches the MTA-STS policy for up to `max-age` specified in the policy, and attempts to +refresh the cached policy once every 24 hours. + +Momentum does not currently implement SMTP TLS Reporting (RFC 8460). + +The examples below illustrate a few cases describing how Momentum implements MTA-STS. +For all examples the recipient domain would be domain.com. + +### Example 1: Recipient domain enforces MTA-STS and MX is allowed as per the MTA-STS policy + +> **MTA-STS policy retrieved from https://mta-sts.domain.com/.well-known/mta-sts.txt** +``` +version: STSv1 +mode: enforce +mx: *.domain.com +max_age: 86400 +``` +> **DNS results for domain's MX lookup** +``` +mx1.domain.com +``` +> **Explanation** +> Momentum attempts to deliver email to `mx1.domain.com` as it matches at least one of the +MX patterns defined in the MTA-STS policy. + +### Example 2: Recipient domain enforces MTA-STS and MX is not allowed as per the MTA-STS policy + +> **MTA-STS policy retrieved from https://mta-sts.domain.com/.well-known/mta-sts.txt** +``` +version: STSv1 +mode: enforce +mx: *.domain.com +max_age: 86400 +``` +> **DNS results for domain's MX lookup** +``` +mx1.other.com +``` +> **Explanation** +> Momentum does not attempt to deliver email to `mx1.other.com` as it does not match any of the +MX patterns defined in the MTA-STS policy. + +### Example 3: Recipient domain does not enforce MTA-STS and MX is not allowed as per the MTA-STS +policy + +> **MTA-STS policy retrieved from https://mta-sts.domain.com/.well-known/mta-sts.txt** +``` +version: STSv1 +mode: testing +mx: *.domain.com +max_age: 86400 +``` +> **DNS results for domain's MX lookup** +``` +mx1.other.com +``` +> **Explanation** +> Momentum attempts to deliver email to `mx1.other.com` even though it does not match any of the +MX patterns defined in the MTA-STS policy since the policy mode is not `enforce`. + + +## Related Configuration Options +- [use_mta_sts](/momentum/4/config/mta-sts/use-mta-sts) +- [enable_mta_sts](/momentum/4/coonfig/mta-sts/enable-mta-sts) From 30f2f6b00e904b74c1ebb214a755d72818159f60 Mon Sep 17 00:00:00 2001 From: Julie Zhao Date: Tue, 7 May 2024 15:18:01 -0400 Subject: [PATCH 02/16] update --- .../momentum/4/config/mta-sts/enable-mta-sts.md | 15 +++++++++++---- content/momentum/4/mta-sts.md | 4 +++- 2 files changed, 14 insertions(+), 5 deletions(-) diff --git a/content/momentum/4/config/mta-sts/enable-mta-sts.md b/content/momentum/4/config/mta-sts/enable-mta-sts.md index 701539ba..f0868648 100644 --- a/content/momentum/4/config/mta-sts/enable-mta-sts.md +++ b/content/momentum/4/config/mta-sts/enable-mta-sts.md @@ -17,11 +17,18 @@ enable_mta_sts — specify whether Momentum should apply MTA-STS policies on out This option is only effective when [use_mta_sts](/momentum/4/config/mta-sts/use-mta-sts) is `true` for a recipient domain. -This option specified whether Momentum try to apply the retrieved MTA-STS policies when sending +This option specified whether Momentum should try to apply the retrieved MTA-STS policies when sending emails to a remote site. See [mta-sts](/momentum/4/mta-sts) for more details. -When this option is `true`, the MTA-STS policy mode will take the preference over the config options - of [TLS](/momentum/4.config/tls) and [TLS_Verify](/momentum/4/config/tls-verify), unless the - MTA-STS policy mode is `none`. +When this option is `true`, the MTA-STS policy mode will be considered along with the configuration + values for [TLS](/momentum/4.config/tls) and [TLS_Verify](/momentum/4/config/tls-verify). + The more strict policy will apply. E.g. When the MTA-STS policy mode is `enforce`, regardless the + values for `TLS` and `TLS_Verify`, Momentum will enforce TLS (equivalent to `TLS = required`) and + will fail the delivery upon a failed certificate validation (equivalent to `TLS_Verify = host`). + When the MTA-STS policy mode is `testing`, Momentum will apply `TLS = ifavailable` (unless + `TLS = required` is specified) and `TLS_Verify = optional` (unless `TLS_Verify = host` is + specified). + When the MTA-STS policy mode is `none`, the configuration values for `TLS` and `TLS_Verify` will be + respected. The default value is `true` when the domain level `use_mta_sts` is `true`. diff --git a/content/momentum/4/mta-sts.md b/content/momentum/4/mta-sts.md index 498a225c..307bafbb 100644 --- a/content/momentum/4/mta-sts.md +++ b/content/momentum/4/mta-sts.md @@ -88,4 +88,6 @@ MX patterns defined in the MTA-STS policy since the policy mode is not `enforce` ## Related Configuration Options - [use_mta_sts](/momentum/4/config/mta-sts/use-mta-sts) -- [enable_mta_sts](/momentum/4/coonfig/mta-sts/enable-mta-sts) +- [enable_mta_sts](/momentum/4/config/mta-sts/enable-mta-sts) +- [mta_sts_dns_cname_max_depth](/momentum/4/config/mta-sts/mta-sts-dns-cname-max-depth) +- [mta_sts_policy_store](/momentum/4/config/mta-sts/mta-sts-policy-store) From b34fc8bee1ad20dd6bec1dfaa0bd5aa92dec5877 Mon Sep 17 00:00:00 2001 From: Julie Zhao Date: Tue, 7 May 2024 21:53:32 -0400 Subject: [PATCH 03/16] update debug_flags for MTA-STS --- content/momentum/4/config/ref-debug-flags.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/content/momentum/4/config/ref-debug-flags.md b/content/momentum/4/config/ref-debug-flags.md index 666d5c73..e4bd253c 100644 --- a/content/momentum/4/config/ref-debug-flags.md +++ b/content/momentum/4/config/ref-debug-flags.md @@ -57,6 +57,7 @@ Use ‘`ALL`’ instead of listing each service debug flag. | LOG1 | LOG1 | | DNS | DNS | | DNS data structures | DNSDS | +| MTA-STS | MTA_STS | | Network | NET | | Signals | SIG | | Memory Management | MEM | @@ -69,4 +70,4 @@ Use ‘`ALL`’ instead of listing each service debug flag. ## Scope -debug_flags is valid in the global scope. \ No newline at end of file +debug_flags is valid in the global scope. From 07da5a2317f4427c334719699c78bffec1174061 Mon Sep 17 00:00:00 2001 From: Julie Zhao Date: Wed, 8 May 2024 10:19:44 -0400 Subject: [PATCH 04/16] minor format --- content/momentum/4/config/mta-sts/enable-mta-sts.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/content/momentum/4/config/mta-sts/enable-mta-sts.md b/content/momentum/4/config/mta-sts/enable-mta-sts.md index f0868648..7dfae5c0 100644 --- a/content/momentum/4/config/mta-sts/enable-mta-sts.md +++ b/content/momentum/4/config/mta-sts/enable-mta-sts.md @@ -19,6 +19,8 @@ This option is only effective when [use_mta_sts](/momentum/4/config/mta-sts/use- for a recipient domain. This option specified whether Momentum should try to apply the retrieved MTA-STS policies when sending emails to a remote site. See [mta-sts](/momentum/4/mta-sts) for more details. + + When this option is `true`, the MTA-STS policy mode will be considered along with the configuration values for [TLS](/momentum/4.config/tls) and [TLS_Verify](/momentum/4/config/tls-verify). The more strict policy will apply. E.g. When the MTA-STS policy mode is `enforce`, regardless the From fd6593995a13a4464db5d2a92de94029c4ed93a9 Mon Sep 17 00:00:00 2001 From: Julie Zhao Date: Wed, 8 May 2024 14:27:31 -0400 Subject: [PATCH 05/16] mta_sts ec_console commands --- .../4/config/mta-sts/enable-mta-sts.md | 6 ++- .../momentum/4/console-commands/mta-sts.md | 53 +++++++++++++++++++ content/momentum/4/mta-sts.md | 6 +++ content/momentum/navigation.yml | 4 +- 4 files changed, 66 insertions(+), 3 deletions(-) create mode 100644 content/momentum/4/console-commands/mta-sts.md diff --git a/content/momentum/4/config/mta-sts/enable-mta-sts.md b/content/momentum/4/config/mta-sts/enable-mta-sts.md index 7dfae5c0..98f3a228 100644 --- a/content/momentum/4/config/mta-sts/enable-mta-sts.md +++ b/content/momentum/4/config/mta-sts/enable-mta-sts.md @@ -18,17 +18,19 @@ enable_mta_sts — specify whether Momentum should apply MTA-STS policies on out This option is only effective when [use_mta_sts](/momentum/4/config/mta-sts/use-mta-sts) is `true` for a recipient domain. This option specified whether Momentum should try to apply the retrieved MTA-STS policies when sending -emails to a remote site. See [mta-sts](/momentum/4/mta-sts) for more details. +emails to a remote site. See [MTA-STS support in Momentum](/momentum/4/mta-sts) for more details. When this option is `true`, the MTA-STS policy mode will be considered along with the configuration - values for [TLS](/momentum/4.config/tls) and [TLS_Verify](/momentum/4/config/tls-verify). + values for [TLS](/momentum/4/config/ref-tls) and [TLS_Verify](/momentum/4/config/tls-verify). The more strict policy will apply. E.g. When the MTA-STS policy mode is `enforce`, regardless the values for `TLS` and `TLS_Verify`, Momentum will enforce TLS (equivalent to `TLS = required`) and will fail the delivery upon a failed certificate validation (equivalent to `TLS_Verify = host`). + When the MTA-STS policy mode is `testing`, Momentum will apply `TLS = ifavailable` (unless `TLS = required` is specified) and `TLS_Verify = optional` (unless `TLS_Verify = host` is specified). + When the MTA-STS policy mode is `none`, the configuration values for `TLS` and `TLS_Verify` will be respected. diff --git a/content/momentum/4/console-commands/mta-sts.md b/content/momentum/4/console-commands/mta-sts.md new file mode 100644 index 00000000..5e6e99d9 --- /dev/null +++ b/content/momentum/4/console-commands/mta-sts.md @@ -0,0 +1,53 @@ +--- +lastUpdated: "06/01/2024" +title: "mta_sts" +description: "mta_sts ec_console commands" +--- + + +## Name + +mta_sts - commands for MTA-STS related data + +## Synopsis + +`mta_sts list all` + +`mta-sts show domain {domain name}` + +`mta-sts refresh policy {domain name}` + +## Description + +**mta_sts list all** list all the active domains which have MTA-STS policies + +``` +15:42:38 /tmp/2025> mta_sts list all +gmail.com +Total domains: 1 +``` + +**mta-sts show domain { domain name }** show MTA-STS TXT record and policy details of a given domain. + The same content will show in [domain](/momentum/4/console-commands/domain) command output also if + available. + + +``` +18:13:43 /tmp/2025> mta_sts show domain gmail.com +Domain 'gmail.com' has MTA-STS TXT and a TTL of 185 seconds + id: 20190429T010101 + max_age: 86400 seconds; refresh in 86375 seconds + mode: enforce + mxlist: + gmail-smtp-in.l.google.com + gmail-smtp-in.l.google.com +``` + +**mta-sts refresh policy {domain name}** force to fetch MTA-STS policy from the HTTPS endpoint for a +given domain + + +``` +18:14:41 /tmp/2025> mta_sts refresh policy gmail.com +MTA-STS policy for gmail.com refreshed. +``` diff --git a/content/momentum/4/mta-sts.md b/content/momentum/4/mta-sts.md index 307bafbb..831f3285 100644 --- a/content/momentum/4/mta-sts.md +++ b/content/momentum/4/mta-sts.md @@ -91,3 +91,9 @@ MX patterns defined in the MTA-STS policy since the policy mode is not `enforce` - [enable_mta_sts](/momentum/4/config/mta-sts/enable-mta-sts) - [mta_sts_dns_cname_max_depth](/momentum/4/config/mta-sts/mta-sts-dns-cname-max-depth) - [mta_sts_policy_store](/momentum/4/config/mta-sts/mta-sts-policy-store) + +## Related [Debug_Flags](/momentum/4/config/ref-debug-flags) +- MTA_STS + +## ec_console commands +- [mta_sts](/momentum/4/console-commands/mta-sts diff --git a/content/momentum/navigation.yml b/content/momentum/navigation.yml index ad8832b8..4340432d 100644 --- a/content/momentum/navigation.yml +++ b/content/momentum/navigation.yml @@ -511,6 +511,8 @@ title: Sending Emails as CC and BCC - link: /momentum/4/complex-template title: Using Complex Templates + - link: /momentum/4/mta-sts + title: MTA-STS support - link: /momentum/4/http-api-stats title: Stats HTTP API items: @@ -2007,4 +2009,4 @@ - link: /momentum/changelog/legacy/message-central title: Message Central Legacy Changelog - link: /momentum/changelog/legacy/message-scope - title: Message Scope Legacy Changelog \ No newline at end of file + title: Message Scope Legacy Changelog From 43de084b754dc80d91eb26d3122e49a23d84a417 Mon Sep 17 00:00:00 2001 From: Julie Zhao Date: Wed, 8 May 2024 16:34:15 -0400 Subject: [PATCH 06/16] more minor changes --- content/momentum/4/config/mta-sts/enable-mta-sts.md | 8 ++++---- content/momentum/4/config/mta-sts/mta-sts-policy-store.md | 6 ++---- content/momentum/4/config/mta-sts/use-mta-sts.md | 4 ++-- content/momentum/4/console-commands/mta-sts.md | 8 ++++---- content/momentum/4/mta-sts.md | 8 ++++---- 5 files changed, 16 insertions(+), 18 deletions(-) diff --git a/content/momentum/4/config/mta-sts/enable-mta-sts.md b/content/momentum/4/config/mta-sts/enable-mta-sts.md index 98f3a228..6d414c38 100644 --- a/content/momentum/4/config/mta-sts/enable-mta-sts.md +++ b/content/momentum/4/config/mta-sts/enable-mta-sts.md @@ -17,7 +17,7 @@ enable_mta_sts — specify whether Momentum should apply MTA-STS policies on out This option is only effective when [use_mta_sts](/momentum/4/config/mta-sts/use-mta-sts) is `true` for a recipient domain. -This option specified whether Momentum should try to apply the retrieved MTA-STS policies when sending +This option specifies whether Momentum should try to apply the retrieved MTA-STS policy when sending emails to a remote site. See [MTA-STS support in Momentum](/momentum/4/mta-sts) for more details. @@ -27,12 +27,12 @@ When this option is `true`, the MTA-STS policy mode will be considered along wit values for `TLS` and `TLS_Verify`, Momentum will enforce TLS (equivalent to `TLS = required`) and will fail the delivery upon a failed certificate validation (equivalent to `TLS_Verify = host`). - When the MTA-STS policy mode is `testing`, Momentum will apply `TLS = ifavailable` (unless +When the MTA-STS policy mode is `testing`, Momentum will apply `TLS = ifavailable` (unless `TLS = required` is specified) and `TLS_Verify = optional` (unless `TLS_Verify = host` is specified). - When the MTA-STS policy mode is `none`, the configuration values for `TLS` and `TLS_Verify` will be - respected. +When the MTA-STS policy mode is `none`, the policy will be ignored and the configuration values for + `TLS` and `TLS_Verify` will be respected. The default value is `true` when the domain level `use_mta_sts` is `true`. diff --git a/content/momentum/4/config/mta-sts/mta-sts-policy-store.md b/content/momentum/4/config/mta-sts/mta-sts-policy-store.md index 662d6d26..3464d11b 100644 --- a/content/momentum/4/config/mta-sts/mta-sts-policy-store.md +++ b/content/momentum/4/config/mta-sts/mta-sts-policy-store.md @@ -7,9 +7,7 @@ description: "the location to store the MTA-STS policy" ## Name -mta_sts_policy_store — specifies how many continous cname lookups are allowed when doing DNS - lookups for MTA-STS TXT record for a domain. Exceeding the configured value will be treated as a DNS - lookup failure, which will be further treated as no MTA-STS policy available. +mta_sts_policy_store — specifies the location to keep the MTA-STS policy details for the domains. ## Synopsis @@ -17,7 +15,7 @@ mta_sts_policy_store — specifies how many continous cname lookups are allowed ## Description -Momentum stores MTA-STS policy for a domain in file on disk, and accesses the HTTPS endpoint to refresh the +Momentum stores MTA-STS policy for a domain in a file on disk, and accesses the HTTPS endpoint to refresh the policy once every 24 hours. This config option specifies the directory where the policies are stored on the disk. diff --git a/content/momentum/4/config/mta-sts/use-mta-sts.md b/content/momentum/4/config/mta-sts/use-mta-sts.md index 7640fd60..e15e91aa 100644 --- a/content/momentum/4/config/mta-sts/use-mta-sts.md +++ b/content/momentum/4/config/mta-sts/use-mta-sts.md @@ -15,8 +15,8 @@ use_mta_sts — specify whether Momentum should do MTA-STS policy fetching for a ## Description -This option specified whether Momentum shall attempt to discover the recipient domain's MTA-STS - policy (via a DNS lookup to retrieve the MTA-STS policy ID and a HTTPS lookup to retrieve the +This option specifies whether Momentum shall attempt to discover the recipient domain's MTA-STS + policy (via a DNS TXT lookup to retrieve the MTA-STS policy ID and a HTTPS lookup to retrieve the MTA-STS policy) The default value is `false`. diff --git a/content/momentum/4/console-commands/mta-sts.md b/content/momentum/4/console-commands/mta-sts.md index 5e6e99d9..e11230a3 100644 --- a/content/momentum/4/console-commands/mta-sts.md +++ b/content/momentum/4/console-commands/mta-sts.md @@ -19,7 +19,7 @@ mta_sts - commands for MTA-STS related data ## Description -**mta_sts list all** list all the active domains which have MTA-STS policies +**mta_sts list all** - lists all the active domains which have MTA-STS policies ``` 15:42:38 /tmp/2025> mta_sts list all @@ -27,7 +27,7 @@ gmail.com Total domains: 1 ``` -**mta-sts show domain { domain name }** show MTA-STS TXT record and policy details of a given domain. +**mta-sts show domain { domain name }** - shows MTA-STS TXT record and policy details of a given domain. The same content will show in [domain](/momentum/4/console-commands/domain) command output also if available. @@ -43,8 +43,8 @@ Domain 'gmail.com' has MTA-STS TXT and a TTL of 185 seconds gmail-smtp-in.l.google.com ``` -**mta-sts refresh policy {domain name}** force to fetch MTA-STS policy from the HTTPS endpoint for a -given domain +**mta-sts refresh policy {domain name}** - forces MTA-STS policy refresh by fetching the policy + from the HTTPS endpoint for a given domain ``` diff --git a/content/momentum/4/mta-sts.md b/content/momentum/4/mta-sts.md index 831f3285..c0e1836b 100644 --- a/content/momentum/4/mta-sts.md +++ b/content/momentum/4/mta-sts.md @@ -18,9 +18,9 @@ domain's MX if and only if the following conditions are satisfied: policy - connection to remote site can be encrypted (via the use of STARTTLS) - Momentum can authenticate both - the certificate chain presented by the server on the connection - and server name in the certificate + and the server name in the certificate -For verifying certificates, Momentum use the configured CA for outbound email defined by +For verifying certificates, Momentum uses the configured CA for outbound email defined by [TLS_CA](/momentum/4/config/tls-ca). Momentum does not currently check for certificate revocation via the Online Certificate Status Protocol (RFC 6960). @@ -31,7 +31,7 @@ refresh the cached policy once every 24 hours. Momentum does not currently implement SMTP TLS Reporting (RFC 8460). The examples below illustrate a few cases describing how Momentum implements MTA-STS. -For all examples the recipient domain would be domain.com. +For all examples the recipient domain would be `domain.com`. ### Example 1: Recipient domain enforces MTA-STS and MX is allowed as per the MTA-STS policy @@ -96,4 +96,4 @@ MX patterns defined in the MTA-STS policy since the policy mode is not `enforce` - MTA_STS ## ec_console commands -- [mta_sts](/momentum/4/console-commands/mta-sts +- [mta_sts](/momentum/4/console-commands/mta-sts) From 0b767dcc28c8f2e7a8d64bed881d6fc023376ec8 Mon Sep 17 00:00:00 2001 From: Julie Zhao Date: Thu, 9 May 2024 15:19:12 -0400 Subject: [PATCH 07/16] minor update --- content/momentum/4/console-commands/mta-sts.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/momentum/4/console-commands/mta-sts.md b/content/momentum/4/console-commands/mta-sts.md index e11230a3..349d9ad8 100644 --- a/content/momentum/4/console-commands/mta-sts.md +++ b/content/momentum/4/console-commands/mta-sts.md @@ -40,7 +40,7 @@ Domain 'gmail.com' has MTA-STS TXT and a TTL of 185 seconds mode: enforce mxlist: gmail-smtp-in.l.google.com - gmail-smtp-in.l.google.com + *.gmail-smtp-in.l.google.com ``` **mta-sts refresh policy {domain name}** - forces MTA-STS policy refresh by fetching the policy From 68aac62a0a19a6c409b55376de95da6cead58bed Mon Sep 17 00:00:00 2001 From: Julie Zhao Date: Thu, 9 May 2024 15:22:00 -0400 Subject: [PATCH 08/16] minor update --- content/momentum/4/console-commands/mta-sts.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/momentum/4/console-commands/mta-sts.md b/content/momentum/4/console-commands/mta-sts.md index 349d9ad8..1246cdc7 100644 --- a/content/momentum/4/console-commands/mta-sts.md +++ b/content/momentum/4/console-commands/mta-sts.md @@ -28,7 +28,7 @@ Total domains: 1 ``` **mta-sts show domain { domain name }** - shows MTA-STS TXT record and policy details of a given domain. - The same content will show in [domain](/momentum/4/console-commands/domain) command output also if + The same content will be shown in [domain](/momentum/4/console-commands/domain) command output also if available. From 57d115d0396e20662d6eddd8881fa68801a94bd3 Mon Sep 17 00:00:00 2001 From: Julie Zhao Date: Tue, 14 May 2024 08:56:02 -0400 Subject: [PATCH 09/16] add mta-sts config options and control commands into summaries --- content/momentum/4/4-console-commands.md | 5 ++++- content/momentum/4/config-options-summary.md | 4 ++++ content/momentum/4/config/index.md | 4 ++++ content/momentum/4/console-commands/index.md | 4 +++- 4 files changed, 15 insertions(+), 2 deletions(-) diff --git a/content/momentum/4/4-console-commands.md b/content/momentum/4/4-console-commands.md index 3570e8fd..4136666f 100644 --- a/content/momentum/4/4-console-commands.md +++ b/content/momentum/4/4-console-commands.md @@ -118,6 +118,9 @@ This table lists all console commands alphabetically giving a brief description. | [message retry](/momentum/4/console-commands/message-retry) – Perform an immediate delivery attempt on a message | 4.0 |   | message | | [module hooks](/momentum/4/console-commands/4-module) – Manage loaded module hooks | 4.0 |   | module | | [module list](/momentum/4/console-commands/4-module) – Show loaded modules | 4.0 |   | module | +| [mta_sts list all](/momentum/4/console-commands/mta-sts) – list active domains which have MTA-STS policy | 4.8 |   | mta-sts | +| [mta_sts show domain](/momentum/4/console-commands/mta-sts) – show MTA-STS policy details for a domain | 4.8 |   | mta-sts | +| [mta_sts refresh policy](/momentum/4/console-commands/mta-sts) – refresh MTA-STS policy for a domain | 4.8 |   | mta-sts | | [outbound_audit:instance_name clear all](/momentum/4/modules/outbound-audit#modules.outbound_audit.console) – Zero-out all statistics | 4.0 | outbound_audit | module | | [outbound_audit:instance_name clear domain](/momentum/4/modules/outbound-audit#modules.outbound_audit.console) – Zero-out a domain's statistics | 4.0 | outbound_audit | module | | [outbound_audit:instance_name domain_list](/momentum/4/modules/outbound-audit#modules.outbound_audit.console) – Runtime addition/deletion of a domain in the monitoring list | 4.0 | outbound_audit | module | @@ -160,4 +163,4 @@ This table lists all console commands alphabetically giving a brief description. | [trace smtp remove](/momentum/4/console-commands/trace-smtp) – Remove an SMTP trace | 4.0 |   | misc | | [unlink stats](/momentum/4/console-commands/unlink-stats) – Show statistics of removing messages from the disk | 4.0 |   | stats | | [version](/momentum/4/console-commands/version) – Show version information of Momentum | 4.0 |   | misc | -| [write config](/momentum/4/console-commands/write-config) – Display current running configuration | 4.0 |   | config | \ No newline at end of file +| [write config](/momentum/4/console-commands/write-config) – Display current running configuration | 4.0 |   | config | diff --git a/content/momentum/4/config-options-summary.md b/content/momentum/4/config-options-summary.md index cca6110c..7f3f5293 100644 --- a/content/momentum/4/config-options-summary.md +++ b/content/momentum/4/config-options-summary.md @@ -149,6 +149,7 @@ The `Version` column indicated the version(s) of Momentum that support the optio | [enable_authorization](/momentum/4/control-authz) – Whether or not to enable authorization for console commands | receiving |   | 4.0 and later | control_listener, listen, peer | | [enable_duravip](/momentum/4/4-cluster-config-duravip) – Whether to enable Durable MultiVIP© bindings (cluster-specific) | both |   | 4.0 and later | binding, listen | | [enable_fbl_header_insertion](/momentum/4/config/ref-enable-fbl-header-insertion) – Enable or disable fbl header insertion | sending |   | 4.0 and later | binding, binding_group, domain, global | +| [enable_mta_sts](/momentum/4/config/mta-sts/enable_mta_sts) – Enable or disable MTA-STS policy application | sending |   | 4.8 and later | binding, binding_group, domain, global | | **enabled** – Whether or not the module is enabled (cluster-specific) | na | true | 4.0 and later | cluster | | [error](/momentum/4/config/ref-debug-flags) – Set the debug level | na | ALL | 4.0 and later | debug_flags | | [esmtp_listener](/momentum/4/esmtp-listener) *(scope)* – Listener for incoming SMTP connections | receiving |   | 4.0 and later | global | @@ -237,6 +238,8 @@ The `Version` column indicated the version(s) of Momentum that support the optio | [max_resident_active_queue](/momentum/4/config/ref-max-resident-active-queue) – Threshold above which messages are not held in memory | sending | 250 | 4.0 and later | binding, binding_group, domain, global | | [max_resident_messages](/momentum/4/config/ref-max-resident-messages) – Threshold above which messages are not held in memory | sending | 32768 | 4.0 and later | binding, binding_group, global | | [max_resident_transfails](/momentum/4/config/ref-max-resident-transfails) – If the transient failure queue grows beyond this size, messages are swapped out of memory | sending | 100 | 4.0 and later | global | +| [mta_sts_dns_cname_max_depth](/momentum/4/config/mta-sts/mta-sts-dns-cname-max-depth) – Maximum number of continous CNAME lookups allowed while doing MTA-STS DNS lookup | sending | 5 | 4.8 and later | global | +| [mta_sts_policy_store](/momentum/4/config/mta-sts/mta-sts-policy-store) – Directory to store MTA-STS policy files | sending | /var/spool/ecelerity/mtasts (*non-dynamic*) | 4.8 and later | global | | [swap_out_meta_after_each_tempfail](/momentum/4/config/ref-swap-out-meta-after-each-tempfail) – If this is set to false, Momentum will only update metadata on disk after each tempfail if the message context is dirty, and the num_retires, next_attempt and message context may not be accurate if Momentum crashes | sending | true | 4.3.1 and later | global | | [max_retries](/momentum/4/config/ref-max-retries) – Override the system configured max_retries | sending |   | 4.0 and later | binding, binding_group, domain, global | | [max_retry_interval](/momentum/4/config/ref-max-retry-interval) – Maximum retry interval | sending | 43200 | 4.0 and later | binding, binding_group, domain, global | @@ -365,6 +368,7 @@ The `Version` column indicated the version(s) of Momentum that support the optio | [use_iflist_cache](/momentum/4/config/ref-use-iflist-cache) – Whether or not to cache the list of interfaces configured by the system | sending | 0 (*non-dynamic*) | 4.0 and later | global | | [use_ipv6](/momentum/4/config/ref-use-ipv-6) – Affects the selection of IPv6 hosts in the SMTP client | sending | false | 4.0 and later | global | | [use_mmap](/momentum/4/config/ref-use-mmap) – Use mmap when spooling messages from disk | na | false | 4.0 and later | global | +| [use_mta_sts](/momentum/4/config/mta-sts/use-mta-sts) – Enable MTA-STS policy fetching on a domain | sending | false | 4.8 and later | global, domain | | [use_sendfile](/momentum/4/config/ref-use-sendfile) – Use sendfile() when sending mail | sending | false | 4.0 and later | global | | **use_ssl** – Whether or not to use SSL verification | receiving | false | 4.0 and later | ecstream_listener, esmtp_listener, http_listener, listen, pathway, pathway_group, peer | | [user](/momentum/4/config/ref-user) – User identity to assume after startup | na | ecuser (*non-dynamic*) | 4.0 and later | security | diff --git a/content/momentum/4/config/index.md b/content/momentum/4/config/index.md index 5f820d16..b2d056c2 100644 --- a/content/momentum/4/config/index.md +++ b/content/momentum/4/config/index.md @@ -76,6 +76,7 @@ description: "This chapter provides the definitions of the configuration options | [ehlo_hostname](/momentum/4/config/ref-ehlo-hostname) | set the hostname used for EHLO in outbound mail | | [ehlo_timeout](/momentum/4/config/ref-ehlo-timeout) | network timeout for EHLO | | [enable_fbl_header_insertion](/momentum/4/config/ref-enable-fbl-header-insertion) | enable or disable fbl header insertion | +| [enable_mta_sts](/momentum/4/config/mta-sts/enable-mta-sts) | enable application of MTA-STS policy on email delivery to a remote domain | | [event_loop](/momentum/4/config/ref-event-loop) | associate a pool of event loops within a listener scope to use multiple threads | | [eventloop](/momentum/4/config/ref-eventloop) | define a pool of event loops to enable multiple event loop configuration | | [events_per_iter](/momentum/4/config/ref-events-per-iter) | employ when using a concurrency greater than 1. | @@ -136,6 +137,8 @@ description: "This chapter provides the definitions of the configuration options | [migrate_connections_between_sibling_domains](/momentum/4/config/ref-migrate-connections-between-sibling-domains) | optimize connections for sibling domains | | [mime_parse_large_messages_during_reception](/momentum/4/config/ref-mime-parse-large-messages-during-reception) | configure whether large messages are parsed upon reception or just in time. | | [min_dns_ttl](/momentum/4/config/ref-min-dns-ttl) | override DNS TTLs smaller than this value | +| [mta_sts_dns_cname_max_depth](/momentum/4/config/mta-sts/mta-sts-dns-cname-max-depth) | the maximum number of continuous CNAME lookups while doing MTA-STS DNS TXT lookup | +| [mta_sts_policy_store](/momentum/4/config/mta-sts/mta-sts-policy-store) | the directory to store MTA-STS policy files | | [mx_failures_fallback_to_a](/momentum/4/config/ref-mx-failures-fallback-to-a) | configure the maximum number of times an MX lookup will be attempted | | [mx_failures_to_delay](/momentum/4/config/ref-mx-failures-to-delay) | number of consecutive failures before a domain is auto-delayed | | [never_attempt_expired_messages](/momentum/4/config/ref-never-attempt-expired-messages) | Never attempt delivery of expired messages | @@ -227,6 +230,7 @@ description: "This chapter provides the definitions of the configuration options | [use_iflist_cache](/momentum/4/config/ref-use-iflist-cache) | Whether or not to cache the list of network interfaces configured by the system | | [use_ipv6](/momentum/4/config/ref-use-ipv-6) | Affects the selection of IPv6 hosts in the SMTP client | | [use_mmap](/momentum/4/config/ref-use-mmap) | use mmap when spooling messages from disk | +| [use_mta_sts](/momentum/4/config/mta-sts/use-mta-sts) | fetch MTA-STS policy for a domain | | [use_sendfile](/momentum/4/config/ref-use-sendfile) | use sendfile() when sending mail | | [user](/momentum/4/config/ref-user) | security: user identity to assume after startup | | [xclient](/momentum/4/config/ref-xclient) | use the xclient extension to SMTP for outbound mail | diff --git a/content/momentum/4/console-commands/index.md b/content/momentum/4/console-commands/index.md index d9219f1c..e7aac765 100644 --- a/content/momentum/4/console-commands/index.md +++ b/content/momentum/4/console-commands/index.md @@ -1,5 +1,5 @@ --- -lastUpdated: "02/09/2021" +lastUpdated: "06/01/2024" title: "Category File" type: "custom" name: "Non-Module-Specific Console Commands" @@ -44,6 +44,8 @@ description: "This section documents all the non module specific console command | [message fail quiet](/momentum/4/console-commands/message-fail-quiet) | fail a message and do not create a non-delivery receipt (NDR) | | [message retry](/momentum/4/console-commands/message-retry) | perform an immediate delivery attempt on a message | | [module](/momentum/4/console-commands/4-module) | manage loaded modules online | +| [mta_sts](/momentum/4/console-commands/mta_sts) | commands to display and manage MTA-STS policy for a domain | +| [\pager](/momentum/4/console-commands/pager) | Page output of long console commands in the console. | | [\pager](/momentum/4/console-commands/pager) | Page output of long console commands in the console. | | [paniclog](/momentum/4/console-commands/paniclog) | show last several entries written to paniclog | | [pid](/momentum/4/console-commands/pid) | show process id of Momentum | From ea735d43df27ce3a3ffb37e7030db2f8be017085 Mon Sep 17 00:00:00 2001 From: Julie Zhao Date: Tue, 14 May 2024 10:27:20 -0400 Subject: [PATCH 10/16] review comments --- content/momentum/4/config-options-summary.md | 2 +- .../4/config/mta-sts/enable-mta-sts.md | 6 ++--- .../momentum/4/config/mta-sts/use-mta-sts.md | 2 +- content/momentum/4/mta-sts.md | 27 ++++++++++--------- 4 files changed, 19 insertions(+), 18 deletions(-) diff --git a/content/momentum/4/config-options-summary.md b/content/momentum/4/config-options-summary.md index 7f3f5293..33915dcb 100644 --- a/content/momentum/4/config-options-summary.md +++ b/content/momentum/4/config-options-summary.md @@ -149,7 +149,7 @@ The `Version` column indicated the version(s) of Momentum that support the optio | [enable_authorization](/momentum/4/control-authz) – Whether or not to enable authorization for console commands | receiving |   | 4.0 and later | control_listener, listen, peer | | [enable_duravip](/momentum/4/4-cluster-config-duravip) – Whether to enable Durable MultiVIP© bindings (cluster-specific) | both |   | 4.0 and later | binding, listen | | [enable_fbl_header_insertion](/momentum/4/config/ref-enable-fbl-header-insertion) – Enable or disable fbl header insertion | sending |   | 4.0 and later | binding, binding_group, domain, global | -| [enable_mta_sts](/momentum/4/config/mta-sts/enable_mta_sts) – Enable or disable MTA-STS policy application | sending |   | 4.8 and later | binding, binding_group, domain, global | +| [enable_mta_sts](/momentum/4/config/mta-sts/enable-mta-sts) – Enable or disable MTA-STS policy application | sending |   | 4.8 and later | binding, binding_group, domain, global | | **enabled** – Whether or not the module is enabled (cluster-specific) | na | true | 4.0 and later | cluster | | [error](/momentum/4/config/ref-debug-flags) – Set the debug level | na | ALL | 4.0 and later | debug_flags | | [esmtp_listener](/momentum/4/esmtp-listener) *(scope)* – Listener for incoming SMTP connections | receiving |   | 4.0 and later | global | diff --git a/content/momentum/4/config/mta-sts/enable-mta-sts.md b/content/momentum/4/config/mta-sts/enable-mta-sts.md index 6d414c38..a87ba59c 100644 --- a/content/momentum/4/config/mta-sts/enable-mta-sts.md +++ b/content/momentum/4/config/mta-sts/enable-mta-sts.md @@ -7,7 +7,7 @@ description: "config option to enable MTA-STS policy application for outbound ma ## Name -enable_mta_sts — specify whether Momentum should apply MTA-STS policies on outbound email sending +enable_mta_sts — specify whether Momentum should apply MTA-STS policies for outbound emails ## Synopsis @@ -23,7 +23,7 @@ emails to a remote site. See [MTA-STS support in Momentum](/momentum/4/mta-sts) When this option is `true`, the MTA-STS policy mode will be considered along with the configuration values for [TLS](/momentum/4/config/ref-tls) and [TLS_Verify](/momentum/4/config/tls-verify). - The more strict policy will apply. E.g. When the MTA-STS policy mode is `enforce`, regardless the + The more strict policy will apply. E.g. When the MTA-STS policy mode is `enforce`, regardless of the values for `TLS` and `TLS_Verify`, Momentum will enforce TLS (equivalent to `TLS = required`) and will fail the delivery upon a failed certificate validation (equivalent to `TLS_Verify = host`). @@ -34,7 +34,7 @@ When the MTA-STS policy mode is `testing`, Momentum will apply `TLS = ifavailabl When the MTA-STS policy mode is `none`, the policy will be ignored and the configuration values for `TLS` and `TLS_Verify` will be respected. -The default value is `true` when the domain level `use_mta_sts` is `true`. +The default value is `true` when `use_mta_sts` is `true` for a domain. ## Scope diff --git a/content/momentum/4/config/mta-sts/use-mta-sts.md b/content/momentum/4/config/mta-sts/use-mta-sts.md index e15e91aa..4b658c20 100644 --- a/content/momentum/4/config/mta-sts/use-mta-sts.md +++ b/content/momentum/4/config/mta-sts/use-mta-sts.md @@ -7,7 +7,7 @@ description: "config option to enable MTA-STS policy fetching for a domain" ## Name -use_mta_sts — specify whether Momentum should do MTA-STS policy fetching for a domain or not +use_mta_sts — specify whether Momentum should do MTA-STS policy fetching for a domain ## Synopsis diff --git a/content/momentum/4/mta-sts.md b/content/momentum/4/mta-sts.md index c0e1836b..0fcbad53 100644 --- a/content/momentum/4/mta-sts.md +++ b/content/momentum/4/mta-sts.md @@ -1,19 +1,21 @@ --- lastUpdated: "06/01/2024" -title: "MTA-STS support in Momentum" -description: "MTA-STS support in Momentum" +title: "MTA-STS support" +description: "MTA-STS support" --- MTA-STS (MTA Strict Transport Security) improves email security by requiring authentication checks and encryption for delivering email. RFC 8461 describes the use of MTA-STS for improving -SMTP security between MTAs. +SMTP security between MTAs. Momentum starts to support MTA-STS in 4.8. -If the per-domain config option [use_mta_sts](/momentum/4/config/mta-sts/use-mta-sts) is set to `true`, +If the config option [use_mta_sts](/momentum/4/config/mta-sts/use-mta-sts) for a domain is set to `true`, Momentum will attempt to discover the recipient domain's MTA-STS policy (via a DNS lookup to retrieve the MTA-STS policy ID and a HTTPS lookup to retrieve the - MTA-STS policy) and use it for validating the connection to the remote site. + MTA-STS policy), and if the [enable_mta_sts](/momentum/4/config/mta-sts/enable-mta-sts) + for the binding/domain is `true`, Momentum will apply the MTA-STS policy for validating + the connection to the remote site. If the recipient domain enforces MTA-STS, Momentum delivers email to the remote -domain's MX if and only if the following conditions are satisfied: + domain's MX if and only if the following conditions are satisfied: - remote site matches at least one of the MX patterns defined in the recipient domain's MTA-STS policy - connection to remote site can be encrypted (via the use of STARTTLS) @@ -35,7 +37,7 @@ For all examples the recipient domain would be `domain.com`. ### Example 1: Recipient domain enforces MTA-STS and MX is allowed as per the MTA-STS policy -> **MTA-STS policy retrieved from https://mta-sts.domain.com/.well-known/mta-sts.txt** +> **MTA-STS policy retrieved from `https://mta-sts.domain.com/.well-known/mta-sts.txt`** ``` version: STSv1 mode: enforce @@ -52,7 +54,7 @@ MX patterns defined in the MTA-STS policy. ### Example 2: Recipient domain enforces MTA-STS and MX is not allowed as per the MTA-STS policy -> **MTA-STS policy retrieved from https://mta-sts.domain.com/.well-known/mta-sts.txt** +> **MTA-STS policy retrieved from `https://mta-sts.domain.com/.well-known/mta-sts.txt`** ``` version: STSv1 mode: enforce @@ -70,7 +72,7 @@ MX patterns defined in the MTA-STS policy. ### Example 3: Recipient domain does not enforce MTA-STS and MX is not allowed as per the MTA-STS policy -> **MTA-STS policy retrieved from https://mta-sts.domain.com/.well-known/mta-sts.txt** +> **MTA-STS policy retrieved from `https://mta-sts.domain.com/.well-known/mta-sts.txt`** ``` version: STSv1 mode: testing @@ -87,13 +89,12 @@ MX patterns defined in the MTA-STS policy since the policy mode is not `enforce` ## Related Configuration Options -- [use_mta_sts](/momentum/4/config/mta-sts/use-mta-sts) -- [enable_mta_sts](/momentum/4/config/mta-sts/enable-mta-sts) -- [mta_sts_dns_cname_max_depth](/momentum/4/config/mta-sts/mta-sts-dns-cname-max-depth) -- [mta_sts_policy_store](/momentum/4/config/mta-sts/mta-sts-policy-store) +- [MTA-STS configuration Options](/momentum/4/config/mta-sts) + ## Related [Debug_Flags](/momentum/4/config/ref-debug-flags) - MTA_STS + ## ec_console commands - [mta_sts](/momentum/4/console-commands/mta-sts) From 25360eb9e28352c51b5e5af77d22299d629d7e6d Mon Sep 17 00:00:00 2001 From: Julie Zhao Date: Tue, 14 May 2024 13:04:15 -0400 Subject: [PATCH 11/16] link to mta-sts config options --- content/momentum/4/config/ref-debug-flags.md | 14 ++++++++++++-- content/momentum/4/console-commands/index.md | 1 - content/momentum/4/mta-sts.md | 2 +- 3 files changed, 13 insertions(+), 4 deletions(-) diff --git a/content/momentum/4/config/ref-debug-flags.md b/content/momentum/4/config/ref-debug-flags.md index e4bd253c..3bcd7852 100644 --- a/content/momentum/4/config/ref-debug-flags.md +++ b/content/momentum/4/config/ref-debug-flags.md @@ -28,11 +28,21 @@ Debug_Flags { CRITICAL = (TIME FD SMTP LOG1 DNS DNSDS NET SIG MEM DB LIC SSL MOD START ALL) } ``` - ### Note - Use ‘`ALL`’ instead of listing each service debug flag. + +The example below enables more (at `WARNING` level) MTA-STS and SSL related logging, along with default +`ERROR` and `CRITICAL` loggings: +``` +Debug_Flags { + WARNING = (MTA_STS SSL) + ERROR = (ALL) + CRITICAL = (ALL) +} +``` + + diff --git a/content/momentum/4/console-commands/index.md b/content/momentum/4/console-commands/index.md index e7aac765..1eb37278 100644 --- a/content/momentum/4/console-commands/index.md +++ b/content/momentum/4/console-commands/index.md @@ -46,7 +46,6 @@ description: "This section documents all the non module specific console command | [module](/momentum/4/console-commands/4-module) | manage loaded modules online | | [mta_sts](/momentum/4/console-commands/mta_sts) | commands to display and manage MTA-STS policy for a domain | | [\pager](/momentum/4/console-commands/pager) | Page output of long console commands in the console. | -| [\pager](/momentum/4/console-commands/pager) | Page output of long console commands in the console. | | [paniclog](/momentum/4/console-commands/paniclog) | show last several entries written to paniclog | | [pid](/momentum/4/console-commands/pid) | show process id of Momentum | | [rebind](/momentum/4/console-commands/rebind) | rebind the messages in a binding or domain | diff --git a/content/momentum/4/mta-sts.md b/content/momentum/4/mta-sts.md index 0fcbad53..c88746c4 100644 --- a/content/momentum/4/mta-sts.md +++ b/content/momentum/4/mta-sts.md @@ -89,7 +89,7 @@ MX patterns defined in the MTA-STS policy since the policy mode is not `enforce` ## Related Configuration Options -- [MTA-STS configuration Options](/momentum/4/config/mta-sts) +- [MTA-STS configuration Options](/momentum/4/config/mta-sts/index) ## Related [Debug_Flags](/momentum/4/config/ref-debug-flags) From d4fcc7838b1d174438bc7552870db80cca0a1d4f Mon Sep 17 00:00:00 2001 From: Julie Zhao Date: Tue, 14 May 2024 13:30:23 -0400 Subject: [PATCH 12/16] add new file --- content/momentum/4/config/mta-sts/index.md | 14 ++++++++++++++ 1 file changed, 14 insertions(+) create mode 100644 content/momentum/4/config/mta-sts/index.md diff --git a/content/momentum/4/config/mta-sts/index.md b/content/momentum/4/config/mta-sts/index.md new file mode 100644 index 00000000..391faeb2 --- /dev/null +++ b/content/momentum/4/config/mta-sts/index.md @@ -0,0 +1,14 @@ +--- +lastUpdated: "06/01/2024" +title: "Category File" +type: "custom" +name: "MTA-STS Configuration Options Reference" +description: "MTA-STS configuration Options index" +--- + +- [use_mta_sts](/momentum/4/config/mta-sts/use-mta-sts) +- [enable_mta_sts](/momentum/4/config/mta-sts/enable-mta-sts) +- [mta_sts_dns_cname_max_depth](/momentum/4/config/mta-sts/mta-sts-dns-cname-max-depth) +- [mta_sts_policy_store](/momentum/4/config/mta-sts/mta-sts-policy-store) + + From e3f70ddb0bb6bc1a15a37f4061e62650a02a91d2 Mon Sep 17 00:00:00 2001 From: Julie Zhao Date: Tue, 14 May 2024 14:04:12 -0400 Subject: [PATCH 13/16] update link --- content/momentum/4/mta-sts.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/momentum/4/mta-sts.md b/content/momentum/4/mta-sts.md index c88746c4..0fcbad53 100644 --- a/content/momentum/4/mta-sts.md +++ b/content/momentum/4/mta-sts.md @@ -89,7 +89,7 @@ MX patterns defined in the MTA-STS policy since the policy mode is not `enforce` ## Related Configuration Options -- [MTA-STS configuration Options](/momentum/4/config/mta-sts/index) +- [MTA-STS configuration Options](/momentum/4/config/mta-sts) ## Related [Debug_Flags](/momentum/4/config/ref-debug-flags) From c1c29b32206a7fc1d24fced6907a6746e12373fa Mon Sep 17 00:00:00 2001 From: Julie Zhao Date: Tue, 18 Jun 2024 09:49:34 -0400 Subject: [PATCH 14/16] typos --- content/momentum/4/config/mta-sts/mta-sts-policy-store.md | 2 +- content/momentum/4/console-commands/mta-sts.md | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/content/momentum/4/config/mta-sts/mta-sts-policy-store.md b/content/momentum/4/config/mta-sts/mta-sts-policy-store.md index 3464d11b..18840994 100644 --- a/content/momentum/4/config/mta-sts/mta-sts-policy-store.md +++ b/content/momentum/4/config/mta-sts/mta-sts-policy-store.md @@ -24,4 +24,4 @@ The default value is `/var/spool/ecelerity/mtasts`. ## Scope -`mta_sts_dns_cname_max_depth` is valid in the global scope. +`mta_sts_policy_store` is valid in the global scope. diff --git a/content/momentum/4/console-commands/mta-sts.md b/content/momentum/4/console-commands/mta-sts.md index 1246cdc7..16304434 100644 --- a/content/momentum/4/console-commands/mta-sts.md +++ b/content/momentum/4/console-commands/mta-sts.md @@ -13,9 +13,9 @@ mta_sts - commands for MTA-STS related data `mta_sts list all` -`mta-sts show domain {domain name}` +`mta_sts show domain {domain name}` -`mta-sts refresh policy {domain name}` +`mta_sts refresh policy {domain name}` ## Description From 9827faf76c5776b18707458210997f7ca343c3d0 Mon Sep 17 00:00:00 2001 From: Julie Zhao Date: Mon, 8 Jul 2024 12:51:46 -0400 Subject: [PATCH 15/16] EOP-209: DANE doc (#767) --- content/momentum/4/config/enable-dane.md | 29 +++++ content/momentum/4/config/index.md | 3 + content/momentum/4/config/ref-debug-flags.md | 1 + .../momentum/4/config/tlsa-expire-interval.md | 26 +++++ content/momentum/4/config/use-dane.md | 30 ++++++ content/momentum/4/modules/dane.md | 100 ++++++++++++++++++ content/momentum/4/modules/index.md | 1 + .../momentum/4/modules/summary-all-modules.md | 3 +- content/momentum/navigation.yml | 2 + 9 files changed, 194 insertions(+), 1 deletion(-) create mode 100644 content/momentum/4/config/enable-dane.md create mode 100644 content/momentum/4/config/tlsa-expire-interval.md create mode 100644 content/momentum/4/config/use-dane.md create mode 100644 content/momentum/4/modules/dane.md diff --git a/content/momentum/4/config/enable-dane.md b/content/momentum/4/config/enable-dane.md new file mode 100644 index 00000000..0765917f --- /dev/null +++ b/content/momentum/4/config/enable-dane.md @@ -0,0 +1,29 @@ +--- +lastUpdated: "06/01/2024" +title: "enable_dane" +description: "config option to enable application of DANE TLS verification for outbound mails" +--- + + +## Name + +enable_dane — specify whether Momentum should apply DANE TLS verification for outbound emails + +## Synopsis + +`enable_dane = "true|false"` + +## Description + +This option is only effective when [dane module](/momentum/4/modules/dane) is configured and + [use_dane](/momentum/4/config/use-dane) is `true` for a recipient domain. + +This option specifies whether Momentum should try to apply the DANE TLS verification rules defined + in TLSA record when sending emails to a remote site. + +The default value is `true` when `use_dane` is `true` for a domain. + + +## Scope + +`enable_dane` is valid in the binding, binding_group, domain and global scopes. diff --git a/content/momentum/4/config/index.md b/content/momentum/4/config/index.md index b2d056c2..e9527aa3 100644 --- a/content/momentum/4/config/index.md +++ b/content/momentum/4/config/index.md @@ -75,6 +75,7 @@ description: "This chapter provides the definitions of the configuration options | [ecstream_timeout](/momentum/4/config/ref-ecstream-timeout) | the amount of time to wait for an ecstream connection to be established | | [ehlo_hostname](/momentum/4/config/ref-ehlo-hostname) | set the hostname used for EHLO in outbound mail | | [ehlo_timeout](/momentum/4/config/ref-ehlo-timeout) | network timeout for EHLO | +| [enable_dane](/momentum/4/config/enable-dane) | enable application of DANE TLS verification on email delivery to a remote domain | | [enable_fbl_header_insertion](/momentum/4/config/ref-enable-fbl-header-insertion) | enable or disable fbl header insertion | | [enable_mta_sts](/momentum/4/config/mta-sts/enable-mta-sts) | enable application of MTA-STS policy on email delivery to a remote domain | | [event_loop](/momentum/4/config/ref-event-loop) | associate a pool of event loops within a listener scope to use multiple threads | @@ -220,6 +221,7 @@ description: "This chapter provides the definitions of the configuration options | [tls_verified_peer_is_authorized](/momentum/4/config/tls-verified-peer-is-authorized) | Marks requests that use a verified SSL Client certificate as being authorized | | [tls_verify](/momentum/4/config/tls-verify) | specify how to handle the remote presented certificate | | [tls_verify_mode](/momentum/4/config/tls-verify-mode) | determine whether a TLS certificate is required | +| [tlsa_expire_interval](/momentum/4/config/tlsa-expire-interval) | how often to check for expired TLSA records | | [trace_smtp_mode](/momentum/4/config/ref-trace-smtp-mode) | set the default permissions of trace files | | [tracking_domain](/momentum/4/config/tracking-domain) | set the tracking domain to use for engagement tracking in SMTP injections | | [tracking_link_expiry](/momentum/4/config/tracking-link-expiry) | set the expiration time for engagement tracking for SMTP injections | @@ -227,6 +229,7 @@ description: "This chapter provides the definitions of the configuration options | [transform_8bitmime_content](/momentum/4/config/ref-transform-8-bitmime-content) | Enable 8BITMIME downconversion when sending mail | | [unlink_on_spool_in_failure](/momentum/4/config/ref-unlink-on-spool-in-failure) | Whether or not to remove malformed messages | | [_unsafe_spool](/momentum/4/config/ref-unsafe-spool) | allow dangerous spool semantics to be used | +| [use_dane](/momentum/4/config/use-dane) | enable DNSSEC validation on MX/A records, if both secure, TLSA record is fetched and DNSSEC validation is done for a domain | | [use_iflist_cache](/momentum/4/config/ref-use-iflist-cache) | Whether or not to cache the list of network interfaces configured by the system | | [use_ipv6](/momentum/4/config/ref-use-ipv-6) | Affects the selection of IPv6 hosts in the SMTP client | | [use_mmap](/momentum/4/config/ref-use-mmap) | use mmap when spooling messages from disk | diff --git a/content/momentum/4/config/ref-debug-flags.md b/content/momentum/4/config/ref-debug-flags.md index 3bcd7852..cacdd02f 100644 --- a/content/momentum/4/config/ref-debug-flags.md +++ b/content/momentum/4/config/ref-debug-flags.md @@ -65,6 +65,7 @@ Debug_Flags { | File Descriptors | FD | | SMTP | SMTP | | LOG1 | LOG1 | +| DANE | DANE | | DNS | DNS | | DNS data structures | DNSDS | | MTA-STS | MTA_STS | diff --git a/content/momentum/4/config/tlsa-expire-interval.md b/content/momentum/4/config/tlsa-expire-interval.md new file mode 100644 index 00000000..903e1491 --- /dev/null +++ b/content/momentum/4/config/tlsa-expire-interval.md @@ -0,0 +1,26 @@ +--- +lastUpdated: "06/01/2024" +title: "tlsa_expire_interval" +description: "tlsa expire interval how often to check for expired TLSA DNS records" +--- + +## Name + +tlsa_expire_interval — how often to check for expired TLSA records + +## Synopsis + +`tlsa_expire_interval = 3600` + +## Description + +How often the garbage collector should check for expired TLSA records. During email delivery, + a related TLSA record will be checked for expiration and removed from memory if expired. + The purpose of garbage collection controlled by this configuration option is to retire + the stale TLSA records which are not actively in use. + +The default is `3600` seconds. + +## Scope + +`tlsa_expire_interval` is valid in the global scope. diff --git a/content/momentum/4/config/use-dane.md b/content/momentum/4/config/use-dane.md new file mode 100644 index 00000000..de88605a --- /dev/null +++ b/content/momentum/4/config/use-dane.md @@ -0,0 +1,30 @@ +--- +lastUpdated: "06/01/2024" +title: "use_dane" +description: "config option to enable DANE TLSA DNS lookup for a domain" +--- + + +## Name + +use_dane — specify whether Momentum should check DNS record DNSSEC status and look up TLSA + records if applicable. + +## Synopsis + +`use_dane = "true|false"` + +## Description + +This option is only effective when [dane module](/momentum/4/modules/dane) is configured. + +This option specifies whether Momentum shall check the DNSSEC status of a domain's MX and A record, + and if both pass DNSSEC validation, corresponding TLSA record will be fetched and DNSSEC status + checked. + +The default value is `false`. + + +## Scope + +`use_dane` is valid in the domain and global scopes. diff --git a/content/momentum/4/modules/dane.md b/content/momentum/4/modules/dane.md new file mode 100644 index 00000000..21092cdb --- /dev/null +++ b/content/momentum/4/modules/dane.md @@ -0,0 +1,100 @@ +--- +lastUpdated: "06/01/2024" +title: "DANE support" +description: "DANE support TLSA DNSSEC" +--- + +The dane module handles DANE related DNS lookups and outbound STARTTLS enforcement and + verifications. + +DANE (DNS-Based Authentication of Named Entities) is a standard for improving transport security. + [RFC 7672](https://datatracker.ietf.org/doc/html/rfc7672) describes the use of DANE for improving + SMTP security between MTAs. + +Momentum has supported STARTTLS for a long time. The use of STARTTLS for establishing channel + security (encrypting the channel) can be achieved via the use of [tls](/momentum/4/config/ref-tls), + [tls_verify](/momentum/4/config/tls-verify) configuration options. + +DANE for SMTP security allows the remote side to enforce the use of STARTTLS whenever clients like + Momentum connect to the site to transfer email. RFC 7672 describes various methods through which + remote sites could advertise the availability of STARTTLS with them, and whether they require + the connecting clients to always use STARTTLS when communicating with them. + DANE requires that the DNS resolver support DNSSEC, a secure way of looking up DNS records. + Google DNS (8.8.8.8) is an example of a DNS lookup service that supports DNSSEC. + +Momentum 4.8 and above supports the use of DANE for enforcing SMTP security. + When DANE is enabled, Momentum must be configured with a DNS resolver that supports DNSSEC in order + for DANE to work properly. + If the new [dane module](/momentum/4/modules/dane) is enabled and the new directive + [use_dane](/momentum/4/config/use-dane) for a domain is set to `true`, + Momentum will lookup the remote site's STARTTLS preferences (through DNS resolution) and use that + information to influence whether STARTTLS is established or not with the remote site prior to + transferring email to it. If the remote site requires the use of STARTTLS, Momentum will only + transfer email to the remote site if STARTTLS was successful in establishing an encrypted channel + to the remote site. And, in accordance with the DANE standard, Momentum will attempt to verify + the certificate presented by the remote host during STARTTLS based on the fingerprints it obtained + through DNS TLSA records. If the remote site is strict about the use of STARTTLS, + and Momentum could not perform STARTTLS successfully (e.g, Momentum failed to verify that the + fingerprint of the certificate presented by the remote site matches the fingerprint of the + certificate specified in the TLSA DNS records), Momentum will not transfer email to the remote + server. Email is held in the queue until Momentum can establish STARTTLS successfully in accordance + with DANE protocol with the remote site. + +See RFC 7672 for more descriptions on how certificate matching is specified via the use of + TLSA DNS records. Please contact support if you have any further questions about DANE protocol. + +DANE works independently from and takes preference over the configuration controlled STARTTLS + behavior. + +When [MTA-STS](/momentum/4/mta-sts) is also enabled on a binding domain, + MTA-STS policy will apply to MX selection for + email delivery, but if secure TLSA record is available, only the DANE TLS validation will be + applied to establish the STARTTLS connection. If DANE TLS failed, no fallback to other + verification means (e.g. MTA-STS, or administrator configured STARTTLS behaviors defined by + [tls](/momentum/4/config/ref-tls) or [tls_verify](/momentum/4/config/tls-verify)). + +### Configuration + +You need to enable the dane module in the ecelerity configuration file to use the feature: + +``` +dane {} +``` + +### Note +With dane module enabled, you still need to have the following global/binding/domain scope + configuration options to fully enable the feature application on email sending. + +- [use_dane](/momentum/4/config/use-dane) +- [enable_dane](/momentum/4/config/enable-dane) + +The following configuration is the minimum needed to enable DANE TLSA lookup and TLS verification +for all domains: + +``` +dane {} +use_dane = true +``` + +[domain](/momentum/4/console-commands/domain) command is updated to show the TLSA record if available, + and a flag of `+dnssec` is added to each DNS record to indicate that they are DNSSEC + validated. An example is shown here: + +``` +Domain 'comcast.net' has 8 MXs and a TTL of 58 seconds +dnssec + [50 mx2c1.comcast.net. TTL:7198] +dnssec +TLSA '_25._tcp.mx2c1.comcast.net' has a TTL of 120 seconds +dnssec + 3 1 1 29b116c43593748345aa7f4c43717e792f94137a88b93d674de2ce1162f98625 + [96.102.18.146]:0 IPv4 (0.00ms con 0.00ms dlv)\ +... +``` + + +## Other DANE Related Configuration Options + +- [tlsa_expire_interval](/momentum/4/config/tlsa-expire-interval) + + +## Related [Debug_Flags](/momentum/4/config/ref-debug-flags) +- DANE + diff --git a/content/momentum/4/modules/index.md b/content/momentum/4/modules/index.md index 4fc70ceb..16490713 100644 --- a/content/momentum/4/modules/index.md +++ b/content/momentum/4/modules/index.md @@ -34,6 +34,7 @@ description: "Table of Contents 71 1 Introduction 71 2 ac auth Authentication Ha | [csapi](/momentum/4/modules/csapi) | Symantec CSAPI Antivirus Support | | [custom_bounce_logger](/momentum/4/modules/custom-bounce-logger) | Custom Bounce Logging | | [custom_logger](/momentum/4/modules/custom-logger) | User-defined Logging | +| [dane](/momentum/4/modules/dane) | DANE related DNS Lookups and TLS Verifications | | [delay_dsn](/momentum/4/modules/delay-dsn) | Delay DSN Generation | | [dnsbuf](/momentum/4/modules/dnsbuf) | Dynamically Set the DNS UDP Buffer Size | | [domainkeys](/momentum/4/modules/domainkeys) | Yahoo! DomainKeys | diff --git a/content/momentum/4/modules/summary-all-modules.md b/content/momentum/4/modules/summary-all-modules.md index 5fd08877..22031ab1 100644 --- a/content/momentum/4/modules/summary-all-modules.md +++ b/content/momentum/4/modules/summary-all-modules.md @@ -38,6 +38,7 @@ All modules are listed alphabetically with a brief description. Singleton module | [“csapi – Symantec CSAPI Antivirus Support”](/momentum/4/modules/csapi) | 4.0 | Integration for Symantec content scanners |   |   |  ✓ |   | | [“custom_bounce_logger – Custom Bounce Logging”](/momentum/4/modules/custom-bounce-logger) | 4.2 | Append a "User_String" to the end of each bounce record |  ✓ |   |   | [“bounce_logger – Momentum-Style Bounce Logging”](/momentum/4/modules/bounce-logger) | | [“custom_logger – User-defined Logging”](/momentum/4/modules/custom-logger) | 4.0 | Create custom logs |   |   |   |   | +| ["dane - DNS-based Authentication of Named Entities"](/momentum/4/modules/dane) | 4.8 | Support for DANE |   |   |   |   | | [“delay_dsn – Delay DSN Generation”](/momentum/4/modules/delay-dsn) | 4.0 | Configure and send delay DSNs |   |   |   |   | | [dk_sign](/momentum/4/modules/domainkeys) | 4.0 | Attach domain keys signatures to outbound mail |   |   |  ✓ |   | | [dk_validate](/momentum/4/modules/domainkeys) | 4.0 | Validate inbound mail checking domain keys signatures |   |   |  ✓ |   | @@ -97,4 +98,4 @@ All modules are listed alphabetically with a brief description. Singleton module | [“suppress_spool – Deferred Message Spooling”](/momentum/4/modules/suppress-spool) | 4.0 | Defer spool attempts |   |   |   |   | | [“syslog_io – The syslog_io Module”](/momentum/4/modules/syslog-io) (*singleton*) | 4.0 | Use the syslog wrapper to write entries to the log |  ✓ |   |   |   | | [“tls_macros – TLS-related Logging”](/momentum/4/4-tls-macros) | 4.0 | Provide several macros supporting custom logging of TLS-related data |   |   |   |   | -| [“url_ripper – URL Extraction”](/momentum/4/modules/url-ripper) | 4.0 | A toolkit for DNS-based content correlation |   |   |  ✓ |   | \ No newline at end of file +| [“url_ripper – URL Extraction”](/momentum/4/modules/url-ripper) | 4.0 | A toolkit for DNS-based content correlation |   |   |  ✓ |   | diff --git a/content/momentum/navigation.yml b/content/momentum/navigation.yml index 4340432d..0ca1eae8 100644 --- a/content/momentum/navigation.yml +++ b/content/momentum/navigation.yml @@ -513,6 +513,8 @@ title: Using Complex Templates - link: /momentum/4/mta-sts title: MTA-STS support + - link: /momentum/4/modules/dane + title: DANE support - link: /momentum/4/http-api-stats title: Stats HTTP API items: From ea976abe8753361109d3a705e8fb36813b544fa7 Mon Sep 17 00:00:00 2001 From: Doug Koerich Date: Tue, 9 Jul 2024 15:48:05 -0300 Subject: [PATCH 16/16] EOP-164: Fixing pending changes from reviews Signed-off-by: Doug Koerich --- .../momentum/4/config/mta-sts/enable-mta-sts.md | 14 +++++++------- .../config/mta-sts/mta-sts-dns-cname-max-depth.md | 4 ++-- content/momentum/4/config/mta-sts/use-mta-sts.md | 4 ++-- content/momentum/4/console-commands/mta-sts.md | 12 ++++++------ content/momentum/4/mta-sts.md | 8 ++++---- 5 files changed, 21 insertions(+), 21 deletions(-) diff --git a/content/momentum/4/config/mta-sts/enable-mta-sts.md b/content/momentum/4/config/mta-sts/enable-mta-sts.md index a87ba59c..8f4197d9 100644 --- a/content/momentum/4/config/mta-sts/enable-mta-sts.md +++ b/content/momentum/4/config/mta-sts/enable-mta-sts.md @@ -7,7 +7,7 @@ description: "config option to enable MTA-STS policy application for outbound ma ## Name -enable_mta_sts — specify whether Momentum should apply MTA-STS policies for outbound emails +enable_mta_sts — specify whether Momentum should apply MTA-STS policies for outbound emails. ## Synopsis @@ -23,15 +23,15 @@ emails to a remote site. See [MTA-STS support in Momentum](/momentum/4/mta-sts) When this option is `true`, the MTA-STS policy mode will be considered along with the configuration values for [TLS](/momentum/4/config/ref-tls) and [TLS_Verify](/momentum/4/config/tls-verify). - The more strict policy will apply. E.g. When the MTA-STS policy mode is `enforce`, regardless of the + The more strict policy will apply: + +- When the MTA-STS policy mode is `enforce`, regardless of the values for `TLS` and `TLS_Verify`, Momentum will enforce TLS (equivalent to `TLS = required`) and will fail the delivery upon a failed certificate validation (equivalent to `TLS_Verify = host`). - -When the MTA-STS policy mode is `testing`, Momentum will apply `TLS = ifavailable` (unless +- When the MTA-STS policy mode is `testing`, Momentum will apply `TLS = ifavailable` (unless `TLS = required` is specified) and `TLS_Verify = optional` (unless `TLS_Verify = host` is specified). - -When the MTA-STS policy mode is `none`, the policy will be ignored and the configuration values for +- When the MTA-STS policy mode is `none`, the policy will be ignored and the configuration values for `TLS` and `TLS_Verify` will be respected. The default value is `true` when `use_mta_sts` is `true` for a domain. @@ -39,4 +39,4 @@ The default value is `true` when `use_mta_sts` is `true` for a domain. ## Scope -`enable_mta_sts` is valid in the binding, binding_group, domain and global scopes. +`enable_mta_sts` is valid in the domain, binding, binding_group, and global scopes. diff --git a/content/momentum/4/config/mta-sts/mta-sts-dns-cname-max-depth.md b/content/momentum/4/config/mta-sts/mta-sts-dns-cname-max-depth.md index 563b8ac0..29e4c863 100644 --- a/content/momentum/4/config/mta-sts/mta-sts-dns-cname-max-depth.md +++ b/content/momentum/4/config/mta-sts/mta-sts-dns-cname-max-depth.md @@ -1,14 +1,14 @@ --- lastUpdated: "06/01/2024" title: "mta_sts_dns_cname_max_depth" -description: "config option on how many continous cname lookups are allowed when doing MTA-STS TXT +description: "config option on how many continuous CNAME lookups are allowed when doing MTA-STS TXT record lookup for a domain" --- ## Name -mta_sts_dns_cname_max_depth — specifies how many continous cname lookups are allowed when doing DNS +mta_sts_dns_cname_max_depth — specifies how many continuous `CNAME` lookups are allowed when doing DNS lookups for MTA-STS TXT record for a domain. Exceeding the configured value will be treated as a DNS lookup failure, which will be further treated as no MTA-STS policy available. diff --git a/content/momentum/4/config/mta-sts/use-mta-sts.md b/content/momentum/4/config/mta-sts/use-mta-sts.md index 4b658c20..ed6f1ab0 100644 --- a/content/momentum/4/config/mta-sts/use-mta-sts.md +++ b/content/momentum/4/config/mta-sts/use-mta-sts.md @@ -7,7 +7,7 @@ description: "config option to enable MTA-STS policy fetching for a domain" ## Name -use_mta_sts — specify whether Momentum should do MTA-STS policy fetching for a domain +use_mta_sts — specify whether Momentum should do MTA-STS policy fetching for a domain. ## Synopsis @@ -17,7 +17,7 @@ use_mta_sts — specify whether Momentum should do MTA-STS policy fetching for a This option specifies whether Momentum shall attempt to discover the recipient domain's MTA-STS policy (via a DNS TXT lookup to retrieve the MTA-STS policy ID and a HTTPS lookup to retrieve the - MTA-STS policy) + MTA-STS policy). The default value is `false`. diff --git a/content/momentum/4/console-commands/mta-sts.md b/content/momentum/4/console-commands/mta-sts.md index 16304434..ea7bd051 100644 --- a/content/momentum/4/console-commands/mta-sts.md +++ b/content/momentum/4/console-commands/mta-sts.md @@ -7,7 +7,7 @@ description: "mta_sts ec_console commands" ## Name -mta_sts - commands for MTA-STS related data +mta_sts - commands for MTA-STS related data. ## Synopsis @@ -19,7 +19,7 @@ mta_sts - commands for MTA-STS related data ## Description -**mta_sts list all** - lists all the active domains which have MTA-STS policies +**mta_sts list all** - lists all the active domains which have MTA-STS policies ``` 15:42:38 /tmp/2025> mta_sts list all @@ -27,8 +27,8 @@ gmail.com Total domains: 1 ``` -**mta-sts show domain { domain name }** - shows MTA-STS TXT record and policy details of a given domain. - The same content will be shown in [domain](/momentum/4/console-commands/domain) command output also if +**mta_sts show domain { domain name }** - shows MTA-STS TXT record and policy details of a given domain. + The same content will be shown in [domain](/momentum/4/console-commands/domain) command output also, if available. @@ -43,8 +43,8 @@ Domain 'gmail.com' has MTA-STS TXT and a TTL of 185 seconds *.gmail-smtp-in.l.google.com ``` -**mta-sts refresh policy {domain name}** - forces MTA-STS policy refresh by fetching the policy - from the HTTPS endpoint for a given domain +**mta_sts refresh policy {domain name}** - forces MTA-STS policy refresh by fetching the policy + from the HTTPS endpoint for a given domain. ``` diff --git a/content/momentum/4/mta-sts.md b/content/momentum/4/mta-sts.md index 0fcbad53..2f3fe210 100644 --- a/content/momentum/4/mta-sts.md +++ b/content/momentum/4/mta-sts.md @@ -19,18 +19,18 @@ If the config option [use_mta_sts](/momentum/4/config/mta-sts/use-mta-sts) for a - remote site matches at least one of the MX patterns defined in the recipient domain's MTA-STS policy - connection to remote site can be encrypted (via the use of STARTTLS) - - Momentum can authenticate both - the certificate chain presented by the server on the connection + - Momentum can authenticate both: the certificate chain presented by the server on the connection, and the server name in the certificate For verifying certificates, Momentum uses the configured CA for outbound email defined by [TLS_CA](/momentum/4/config/tls-ca). - Momentum does not currently check for certificate revocation via the Online Certificate Status + Momentum does *not* currently check for certificate revocation via the Online Certificate Status Protocol (RFC 6960). Momentum caches the MTA-STS policy for up to `max-age` specified in the policy, and attempts to refresh the cached policy once every 24 hours. -Momentum does not currently implement SMTP TLS Reporting (RFC 8460). +Momentum does *not* currently implement SMTP TLS Reporting (RFC 8460). The examples below illustrate a few cases describing how Momentum implements MTA-STS. For all examples the recipient domain would be `domain.com`. @@ -89,7 +89,7 @@ MX patterns defined in the MTA-STS policy since the policy mode is not `enforce` ## Related Configuration Options -- [MTA-STS configuration Options](/momentum/4/config/mta-sts) +- [MTA-STS configuration options](/momentum/4/config/mta-sts) ## Related [Debug_Flags](/momentum/4/config/ref-debug-flags)