How to enable MTA-STS within Caddyfile

1. Caddy version (caddy version):

2. How I run Caddy:

a. System environment:

Ubuntu 20.14

b. Command:

Paste command here.

c. Service/unit/compose file:

Paste full file contents here.
Make sure backticks stay on their own lines,
and the post looks nice in the preview pane.

d. My complete Caddyfile or JSON config:

…mydomain.com
{
reverse_proxy 127.0.0.1:5000
tls {
key …
}
}

mta-sts.mydomain.com {

respond “version: STSv1
mode: enforce
mx: mail.mydomain.com
max_age: 86401”

header Content-Type “text/plain; charset=utf-8”
tls
{
key …
}

}…

Paste config here, replacing this text.
Use `caddy fmt` to make it readable.
DO NOT REDACT anything except credentials.
LEAVE DOMAIN NAMES INTACT.
Make sure the backticks stay on their own lines.

3. The problem I’m having:

Hi Sir,

My Caddy file is as mentioned above. but, still it’s not working as expected. Can anyone please let help me on how to to enable MTA-STS policy for my server via Caddyfile?

Thank you in advance!

4. Error messages and/or full log output:

[000.418] policy–>error could not retrieve policy: 500 Can’t connect to mta-sts.mydomain.com:443 (SSL connect attempt failed error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error)
[000.418] No Mail eXchangers found; will try TLS directly to host.

5. What I already tried:

6. Links to relevant resources:

As we’ve told you in another topic, Caddy is an HTTP server. You’re trying to use it to proxy SMTP, which is not HTTP.

1 Like

Caddy can be used to proxy non-HTTP protocols with this plugin:

1 Like

MTA-STS (full name SMTP Mail Transfer Agent Strict Transport Security ) is a new standard that aims to improve the security of SMTP by enabling domain names to opt into strict transport layer security mode that requires authentication (valid public certificates) and encryption (TLS).
(see e.g. https://www.hardenize.com/blog/mta-sts )

It uses a webserver to distibute the policy, from the url https://mta-sts.example.com/.well-known/mta-sts.txt (host name mta-sts + your own domain)

mta-sts.mydomain.com {
  tls {
    key_type rsa2048
  }
  root * /some/folder/on/your/server
  file_server
}

put a mta-sts.txt with your policy in a subfolder .well-known of the root folder

1 Like

Hi Jochen,

Thanks for you guidance.

But I want to server a single SSL for all my subdomains including primary one. So, please guide me with exact syntax to write in Caddyfile to achieve it.

I hope you understand that I wanted to secure below domains with one SSL;
mydomain.com, mail.mydomain.com, track.mydomain.com - All are these are on the same server…

How to combine all these into one to be served with a single SSL;

…mydomain.com
{
reverse_proxy 127.0.0.1:5000
tls {
key_ …
}
}

track.mydomain.com
{
reverse_proxy 127.0.0.1:5000
tls {
key_ …
}
}

views.mydomain.com
{
reverse_proxy 127.0.0.1:5000
tls {
key_ …
}
}

Awaiting your help. thank you in advance!

Hi Sir,

After I run this command " xcaddy build --with github.com/mholt/caddy-l4 " the entire SSL of my website as well as TLS Iused for SMTP has gone wrong and giving few errors as shown below;

https://mydomain.comSSL ERROR

https://mta.sts.mydomain.comError code: SSL_ERROR_INTERNAL_ERROR_ALERT

When try to send emails via TLSNo SMTP servers were available — SSL_connect returned=1 errno=0 state=error: dh key too small

But my caddy file is still the same as below;

mydomain.com {
reverse_proxy 127.0.0.1:5000
tls {
key_ …
}
}

mta-sts.mydomain.com {
respond “version: …
mode: …
mx: …
max_age: …”
tls {
key_ …
}
}

Sir, I hope you understand that I wanted to use a single CaddySSL to secure my website, subdomains such as mta-sts as well as my emails via TLS. So, my humble request to you to please guide me on how to solve this.

Awaiting reply. Thank you in advance!