• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion

Question Configuring Mail Transfer Agent Strict Transport Security (MTA-STS)

learning_curve

learning_curve

Silver Pleskian
MTA-STS (reference link) is not (yet!) a current function within Plesk. It's been sat in the Plesk User Voice area for years, but has not been progressed.

It should be relatively straightforward to apply (certainly on a non-Plesk controlled server), but has anybody actually worked this right through, to a sucessfully operational stage, on a domains that are hosted on a server that's controlled by Plesk? If you have, did you need to add anything (to make this function within the Plesk rules and policies) other than...: The MTA-STS DNS records (A, CNAME, TXT) and a new associated sub-domain, plus the MTA-STS policy file?

A related, small, self-mod is disabling plain text authorisation within here: /etc/dovecot/conf.d/10-plesk-security.conf but that's nowhere near as effective, as the above.
 
learning_curve said:
If you have, did you need to add anything (to make this function within the Plesk rules and policies) other than...: The MTA-STS DNS records (A, CNAME, TXT) and a new associated sub-domain, plus the MTA-STS policy file?
Click to expand...

I just implemented MTA-STS, plus TLS reporting for it. Now it's operational for that domain.

Other than what you've stated - adding the subdomain, policy file and records - I didn't had to do anything else, other than verifying all is implemented well and start monitoring. I use Dmarcian's dashboard & tools for that and followed these articles:
 
Gerinho said:
I just implemented MTA-STS, plus TLS reporting for it. Now it's operational for that domain.

Other than what you've stated - adding the subdomain, policy file and records - I didn't had to do anything else, other than verifying all is implemented well and start monitoring. I use Dmarcian's dashboard & tools for that and followed these articles:
Click to expand...
Excellent!! That's a much appreciated post ;) Thank you.
It was obvious that somebody else, using Plesk, somewhere.... would have already done this, but finding them was the challenge!

We're definitely going to do the same, but as we're so close now, it will be just after the next Plesk upgrade to 18.0.41 (which should be very soon).

AFAIK The next Plesk upgrade, should have no detrimental, technical effect on this addition (in theory), but we'll ask you - just in case - after 18.0.41 is released. Unless... you've run a Plesk upgrade (say from 18.0.39 > 18.0.40) since you've implemented it? In which case, you'll already know the answer!
 
Thanks and my apologies @learning_curve, as I just noticed you replied back.

If I understand you correctly, I might have good news for you:

At the time I posted previous answer (Jan 6th), the server was indeed running Plesk 18.0.39.
Yesterday (Jan 12th) Plesk auto-updated to 18.0.40 and as far as I can see yet, there are no problems after the update, I still get (TLS) reports coming through in the Dmarcian monitoring tool, they correctly state the policy, etc.

Your post made me curious though: as MTA-STS + the reporting are all implemented by DNS TXT entries, are there specific changes you've seen or anticipating for in the Plesk updates 18.0.39 / .40 / .41 that can cause trouble for MTA-STS implementation? (Because, if so, I think I might have missed that ;)
 
Gerinho said:
Thanks and my apologies @learning_curve, as I just noticed you replied back.

If I understand you correctly, I might have good news for you:

At the time I posted previous answer (Jan 6th), the server was indeed running Plesk 18.0.39.
Yesterday (Jan 12th) Plesk auto-updated to 18.0.40 and as far as I can see yet, there are no problems after the update, I still get (TLS) reports coming through in the Dmarcian monitoring tool, they correctly state the policy, etc.

Your post made me curious though: as MTA-STS + the reporting are all implemented by DNS TXT entries, are there specific changes you've seen or anticipating for in the Plesk updates 18.0.39 / .40 / .41 that can cause trouble for MTA-STS implementation? (Because, if so, I think I might have missed that ;)
Click to expand...
To answer that ^ specific point, No. Only Plesk know what's coming in the release, anything that we think that we have, is just speculation :)

You've helpfully advised there that your upgrade from Plesk 18.0.39 to 18.0.40 caused no detrimental effects for you, so, what we will do next, is implement this on just one domain now, wait for the Plesk Upgrade 18.0.40 > 18.0.41 and (assuming that we achieve the same results as you, which in theory anyway, we should do!) then role it out to all of the other domains too.

We've ignored the Plesk mini-upgrades (e.g. the last being 18.0.40 #2) as they are often bug fixes, following on from the previous major upgrade etc

Will post an update when done.
 
  • Like
Reactions: mow
Ah I see, thanks. And great to hear you find my feedback useful.

Hopefully your implementation worked out well for that single domain, or maybe you've already rolled out on all domains at this time. In any case, good luck implementing and let's hope the Plesk devs might bake this functionality natively into Plesk in the future (like DKIM). It'd make the implementation a tad easier and increase chances that a lot more pleskians will make use of this policy.

Small update: our servers just upgraded to 18.0.40 #3 and still no bad effects thus far ;)
 
You must log in or register to reply here.
Back
Top