![]() |
|
|||||||
| FastMail Forum All posts relating to FastMail.FM should go here: suggestions, comments, requests for help, complaints, technical issues etc. |
![]() |
|
|
Thread Tools |
|
|
#1 |
|
Member
Join Date: Jan 2008
Location: Great Britain
Posts: 76
|
Fastmail support for MTA-STS
My country's National Cyber Security Centre says
"The privacy of emails sent to [my] domain is at risk.Nine years ago, Neil Jenkins (Fastmail's Chief Product Officer) wrote "Initiatives like MTA-STS will allow us to further protect against active man-in-the-middle attacks on mail delivery, and all without impacting usability" (my emphasis)on Fastmail's blog at https://www.fastmail.com/blog/the-fa...urity-mindset/ Does Fastmail now support MTA-STS? |
|
|
|
|
|
#2 | |
|
Cornerstone of the Community
Join Date: Dec 2017
Location: Scotland
Posts: 868
|
Quote:
Why don't you ask them ... and then tell us - all users here - what they said? |
|
|
|
|
|
|
#3 | |
|
Member
Join Date: Jan 2008
Location: Great Britain
Posts: 76
|
Quote:
https://www.ncsc.gov.uk/blog-post/cy...tect-customers I have just asked Fastmail - and await their answer. |
|
|
|
|
|
|
#4 |
|
Cornerstone of the Community
Join Date: Dec 2017
Location: Scotland
Posts: 868
|
If FM do support this - for your incoming mails, my reading suggests that you need your domain to have its own https web server to host a policy file.
Do you have a web server? Just possibly (if you don't) the policy file could be hosted in your domain's "Files" area - I'm not in a position to test this as I don't have a TLS certificate for my custom domain. Separately ... do they support it when sending your (or in fact any FM customer)'s outbound emails to other people's servers? Has anyone ever seen a "Delivery failed" status notfication saying a recipient's server isn't suffciently secure? |
|
|
|
|
|
#5 |
|
Intergalactic Postmaster
Join Date: May 2004
Location: Irving, Texas
Posts: 9,133
|
You don’t say which domain you use for email. If it’s fastmail.com, then yes, Fastmail supports MTA-STS as follows (which can be confirmed using the free MXToolbox.com MTA-STS tool):
Code:
version: STSv1 mode: testing mx: in1-smtp.messagingengine.com mx: in2-smtp.messagingengine.com max_age: 86400
I use my own personal domain for email, and the DNS records for this domain are hosted at Fastmail. Fastmail does automatically add a number of DNS records automatically by default, but they don’t seem to be adding MTA-STS features for my personal domain. Bill |
|
|
|
|
|
#6 | |
|
Member
Join Date: Jan 2008
Location: Great Britain
Posts: 76
|
Fastmail has now answered - as follows
Quote:
|
|
|
|
|
|
|
#7 |
|
Intergalactic Postmaster
Join Date: Oct 2002
Location: Holon, Israel.
Posts: 5,221
|
Apparently users hosting domains at Fastmail can manually post the policy files for their domains and manually setuo the required TXT records. I'm not sure this is enough: to work it would also require that Fastmail have the right certificates and I'm not sure if these are for the mx servers or for each domain that is receiving mail. Somewhere I also read that it has to be setup separately for each subdomain receiving mail, so it becomes problematic for people using many subdomains.
|
|
|
|
|
|
#8 |
|
Cornerstone of the Community
Join Date: Dec 2017
Location: Scotland
Posts: 868
|
FM's blog posts often push the idea that they are a brilliant place for businesses to host mail. Surely most such businesses would be using a corporate domain; not one of FM's 100+ (last time I looked) company domains?
Does the reply that "tsphillips" got mean incoming email for such custom domains isn't - by default - protected by MTA-STS (if the businesses set up the policy file on the business's web server & make the needed DNS changes, or ask FM to do that)? If it isn't - by default - does it also mean that FM don't support it (by request, or for more money)? |
|
|
|