This tool verifies whether a give host correctly implements the new in-development MTA-STS standard for downgrade-resistant secure email. It is very new and not very well tested so don't rely on it's result too much.
Online version: https://aykevl.nl/apps/mta-sts/
License: BSD 2-clause license (see LICENSE.txt).
This guide has been written for Debian buster. It will work on stretch with minimal modifications (replace python3-flask-limiter with the pip3 package Flask-Limiter).
-
Install dependencies:
$ apt-get install uwsgi uwsgi-plugin-python3 python3-flask python3-flask-limiter python3-dnspython -
Create a configuration file for uWSGI (howto) at
/etc/uwsgi/emperor.ini:[uwsgi] emperor = /etc/uwsgi/vassals uid = www-data gid = www-data limit-as = 1024 logto = /tmp/uwsgi.log
-
Create a configuration for this app at
/etc/uwsgi/vassals/mta-sts.ini(create/etc/uwsgi/vassalsfirst):[uwsgi] socket = /tmp/mta-sts.sock manage-script-name = true mount = /=check:app plugins = python3 chmod-socket = 666 pythonpath = /some/path/mta-sts
-
Enable and start uWSGI (check
/tmp/uwsgi.logfor errors):$ sytemctl enable emperor.uwsgi.service $ sytemctl start emperor.uwsgi.service -
Make sure a webserver redirects requests to
/tmp/mta-sts.sock. For example, with nginx:location = /apps/mta-sts/api { include uwsgi_params; uwsgi_pass unix:/tmp/mta-sts.sock; }
-
Test the app with a browser.