This is a technical guide for administrators affected by the STARTTLS Everywhere project. Check out our overview post of the project!
The STARTTLS policy list started off as a mechanism for
Were continuing to promote more scalable ways for securing your mailserver, like MTA-STS and DANE. For the time being, here are some guidelines if your mailserver is using the STARTTLS policy list for security.
What if My Mailserver Is on the List?
If you are not already, we highly recommend using MTA-STS or DANE (or both!) to advertise your TLS information. We will also continue to pull updates from MTA-STS observations to update the list for domains that are currently loaded, but entries that were added manually cant be changed unless your server deploys MTA-STS. If you are queued to be added to the list, your domain will still be added. Mailserver operators should have also received an email with more details-- if you havent, feel free to ping firstname.lastname@example.org.
What if Im Using the List to Validate Others?
If youre using our Python plugin to generate security policies for Postfix, we recommend additionally using MTA-STS or DANE to validate others security policies. The list will continue to work, and existing entries will continue to be updated for the foreseeable future, but we wont be adding new domains to the list.
How Do I Adopt MTA-STS?
To advertise your mailservers TLS information over MTA-STS, there are two steps:
- Indicate you support MTA-STS over DNS.
- Advertise your servers TLS information over HTTPS.
To validate MTA-STS, there is a community-developed Postfix plugin that can help you secure your sent emails.
How Do I Adopt DANE?
To advertise your mailservers TLS information over DANE, your domain must first support DNSSECyou will need to check this with your domain registrar. If you are using a DNS provider, you can check whether they automatically support DNSSEC.
Once you have verified DNSSEC support, this guide can help you get started with using Lets Encrypt certificates with DANE. Most open-source mailservers, including Postfix and Exim, can be configured to validate DANE.