If your a cave dweller who has no idea what mta-sts is then do not bother reading further, your need dnssec (my blog) dane, (my blog) tls, email servers (my blog) and other stuff even to start considering this.
Still here ? then your need an extra website per domain name, even more tls and a few dns entries since why not.
If anybody ever uses it well done since even google do not have some of the requirements i listed. and you begin by reading ietf documents mta-sts and tls-rpt, sigh a lot and start doing things.
it uses a website and dns txt records which while not hard is a bit convoluted. I will need at least one cron job to manage mta-sts and when i need to make new tlsa hashes
Essentially it serves one file that gets a mail server past the does it have tls support and is trustable question. Mta-sts is part of something and not a do something and it is ready.
The first zoo domain was pretty hard, mostly due to our website software being dumb, the remianing three where way too easy i think thirty minutes per site [including getting a tls cert] once you know what your doing is needed.
Essentially this encapsulates it
Although curl or wget will be used and interpreted before a logic statement gives the mail server a yay or nay.
It will be interesting to see if anybody bothers with mta-sts The dns bit is not hard bit i imagine the use of dns/webserver and tls will make the solution quite tricky for some especially if you have to involve three or four people.
Hosting companies might have issues with mta-sts so your looking probably at real server not some shared vm.
Since mta-sts is new my config of the tls is good (a+) but is not suitable for windows 95 browsers/pc’s so do not expect the aged to do this stuff.
My cron job does this for each domain name
- gets a tlsa string and saves it to a file
- it compares the old string to the current string and says so if required
- move the new string to the old string for the next time
- print the tls expiry on the cert
So it needs some human to act on the results, i dont automate it all as why i could i also have to sign the dnssec with the changes. What happens when mta-sts is invalid is something i have yet to discover.
As it is new i might just experiment with it.
When i wrote this it appears that i am valid for mta-sts to delete it i would
- delete webserver confs
- delete specific a records in dns
- remove txt dns records
So while not that hard, its multidisciplinary.