pfSense Self Hosting MTA-STS Policy and Certificate?
-
BACKGROUND
I've been receiving some spoofed emails for my domain, so I implemented strict/reject level SPF, DKIM, DMARC, and TLS TXT records for my domain. It is working very effectively.
ADDING MTA-STS POLICY
Although, I have read 90% of the largest mail servers use TLS between servers, it is an "opportunistic" requirement which is still subject to MITM downgrade attacks.
My next step is to create a MTA-STS policy file and certificate, and create a MTA-STS TXT record to ensure emails are encrypted between mail servers. The question is where to host the policy and certificate? My current domain provider does not offer web hosting or partner with a web hosting provider.
My options are:
- Pay for a hosted web server ($$$)
- Pay for hosting MTA-STS files with one of the many SPF/DKIM/DMARC analytics providers. ($$)
- Self host my own web server on a dedicated appliance or VM ($)
I would like to avoid all three.
QUESTION
Since I already have a HA pfSense appliance, is there a package or another way to host the MTA-STS policy and certificate on pfSense that will survive reboots/updates/re-installs?
-
@elvisimprsntr said in pfSense Self Hosting MTA-STS Policy and Certificate?:
Pay for a hosted web server ($$$)
3 $ for what a vps that can be as cheap as like $1 a month??
I doubt hosting this requires much of cpu or storage or bandwidth.. Look on lowendbox, I have a few vps around and my most expensive one is 24$ a year..
An intelligent man is sometimes forced to be drunk to spend time with his fools
If you get confused: Listen to the Music Play
Please don't Chat/PM me for help, unless mod related
SG-4860 24.03 | Lab VMs 2.7.2, 24.03 -
@johnpoz said in pfSense Self Hosting MTA-STS Policy and Certificate?:
Look on lowendbox
Thank you for sharing...beat my $6/mth at Digital Ocean...is it a British company? They have a server in Dallas...
pfSense+ 23.09 Lenovo Thinkcentre M93P SFF Quadcore i7 dual Raid-ZFS 128GB-SSD 32GB-RAM PCI-Intel i350-t4 NIC, -Intel QAT 8950.
pfSense+ 23.09 VM-Proxmox, Dell Precision Xeon-W2155 Nvme 500GB-ZFS 128GB-RAM PCIe-Intel i350-t4, Intel QAT-8950, P-cloud. -
@elvisimprsntr said in pfSense Self Hosting MTA-STS Policy and Certificate?:
so I implemented strict/reject level SPF, DKIM, DMARC, and TLS TXT records for my domain.
People still find ways to mitigate such a strong implementation...some folks use localhost (doing DNS) of the server to send the rejected message with the unwanted content to the email account holder...I aggressively had to bitched at my host provider to clean up their server. Most of the time the folks use Google to attempt the spoofing...see my post here: https://forum.netgate.com/topic/180831/why-i-don-t-like-localhost-doing-dns
I applaud Facebook for developing DMARC...the only good they have done for mankind.
-
@johnpoz said in pfSense Self Hosting MTA-STS Policy and Certificate?:
Look on lowendbox, I have a few vps around and my most expensive one is 24$ a year..
Thanks for the suggestion. Short term, I think I'm going to self-host while I figure out the exact MX records (since a third party is hosting my email) for the MTA-STS policy file, getting a valid certificate, and making sure it works.
-
@NollipfSense said in pfSense Self Hosting MTA-STS Policy and Certificate?:
is it a British company?
lowendbox has listings of all kinds of low cost vpses - so they could be all over, different companies, etc.
