ubuntu配置mta

The author selected Electronic Frontier Foundation Inc to receive a donation as part of the Write for DOnations program.

作者选择Electronic Frontier Foundation Inc接受捐赠，作为Write for DOnations计划的一部分。

介绍 (Introduction)

Mail Transport Agent Strict Transport Security (MTA-STS) is a new internet standard that allows you to enable strict force-TLS for email sent between supported email providers. It is similar to HTTP Strict Transport Security (HSTS), where a force-TLS policy is set and then cached for a specified amount of time, reducing the risk of man-in-the-middle or downgrade attacks.

邮件传输代理严格传输安全性(MTA-STS)是一种新的Internet标准，使您可以为受支持的电子邮件提供商之间发送的电子邮件启用严格的force-TLS。 它类似于HTTP严格传输安全性(HSTS) ，后者设置了force-TLS策略，然后将其缓存了指定的时间，从而降低了中间人攻击或降级攻击的风险。

MTA-STS is complemented by SMTP TLS Reporting (TLSRPT), which gives you insight into which emails are successfully delivered over TLS, and which aren’t. TLSRPT is similar to DMARC reporting, but for TLS.

MTA-STS辅以SMTP TLS报告(TLSRPT)，可让您深入了解哪些电子邮件已成功通过TLS传递，哪些没有。 TLSRPT与DMARC报告类似，但适用于TLS。

The primary reason for implementing MTA-STS for your domain is to ensure that confidential email that is sent to you is transmitted securely over TLS. Other methods for encouraging TLS for email communications, such as STARTTLS, are still susceptible to man-in-the-middle attacks, as the initial connection is unencrypted. MTA-STS helps to ensure that once at least one secure connection has been established, TLS will be used by default from there on, which greatly reduces the risk of these attacks.

为您的域实施MTA-STS的主要原因是确保发送给您的机密电子邮件可以通过TLS安全地传输。 由于初始连接未加密，其他鼓励电子邮件进行TLS的方法(如STARTTLS)仍然容易受到中间人攻击。 MTA-STS有助于确保至少建立了一个安全连接后，默认情况下将使用TLS，从而大大降低了遭受这些攻击的风险。

An example use case for MTA-STS and TLS Reporting is to help create a secure customer service email system for your business. Customers may send support tickets via email that contain confidential personal information, which needs a secure TLS connection. MTA-STS helps to ensure the security of the connection, and TLSRPT will deliver daily reports identifying any emails that weren’t sent securely—giving crucial insight into any ongoing or previous attacks against your email system.

MTA-STS和TLS报告的用例示例是帮助您为企业创建安全的客户服务电子邮件系统。 客户可以通过包含机密个人信息的电子邮件发送支持票证，这需要安全的TLS连接。 MTA-STS有助于确保连接的安全性，并且TLSRPT会提供每日报告，以识别未安全发送的任何电子邮件，从而使您可以深入了解对电子邮件系统的任何持续或先前的攻击。

In this tutorial, you will learn how to configure MTA-STS and TLSRPT for your domain name, and then interpret your first TLS Report. While this tutorial covers the steps for using Apache on Ubuntu 18.04 with a Let’s Encrypt certificate, the MTA-STS/TLSRPT configuration will also work on alternatives, such as Nginx on Debian.

在本教程中，您将学习如何为您的域名配置MTA-STS和TLSRPT，然后解释您的第一个TLS报告。 尽管本教程介绍了在Ubuntu 18.04上使用带有Let's Encrypt证书的Apache的步骤，但MTA-STS / TLSRPT配置也可以在其他替代版本上使用，例如Debian上的Nginx。

先决条件 (Prerequisites)

Before you begin this guide, you’ll need:

在开始本指南之前，您需要：

• A domain name already configured for receiving email, using either your own mail server or a hosted mail service, such as G Suite or Office 365. This tutorial will use your-domain throughout, however this should be substituted with your own domain name. You will be required to set up a subdomain as part of the tutorial, so ensure that you are able to access the DNS settings for your domain.

  一个已经配置为使用您自己的邮件服务器或托管邮件服务(例如G Suite或Office 365)接收电子邮件的域名。 本教程将始终使用your-domain ，但是应使用您自己的域名代替。 在本教程中，您将需要设置一个子域，因此请确保您能够访问该域的DNS设置。

• One Ubuntu 18.04 server set up by following the Initial Server Setup with Ubuntu 18.04, including a sudo non-root user.

  通过对Ubuntu 18.04进行初始服务器设置来设置一台Ubuntu 18.04服务器，包括sudo非root用户。

• An Apache web server set up and configured by following How to Install the Apache Web Server on Ubuntu 18.04.

  通过遵循如何在Ubuntu 18.04上安装 Apache Web服务器来设置和配置Apache Web服务器 。

• A configured Certbot client in order to acquire a Let’s Encrypt certificate, by following How To Secure Apache with Let’s Encrypt on Ubuntu 18.04.

  通过遵循在Ubuntu 18.04上如何使用Let's Encrypt保护Apache的安全性 ，配置的Certbot客户端可以获取Let's Encrypt证书。

Once you have these ready, log in to your server as your non-root user to begin.

准备就绪后，以非root用户身份登录到服务器以开始。

Note: Once you have completed the implementation steps for MTA-STS and TLSRPT, you may have to wait up to 24 hours to receive your first TLS Report. This is because most email providers send reports once per day. You may resume the tutorial from Step 5 once you’ve received your first report.

注意：完成MTA-STS和TLSRPT的实施步骤后，您可能需要等待24小时才能收到第一份TLS报告。 这是因为大多数电子邮件提供商每天发送一次报告。 收到第一份报告后，您可以从第5步继续学习本教程。

第1步-创建MTA-STS策略文件 (Step 1 — Creating an MTA-STS Policy File)

MTA-STS is enabled and configured using a plain text configuration file that you host on your website. Supported mail servers will then automatically connect to your website to retrieve the file, which causes MTA-STS to be enabled. In this first step you’ll understand the available options for this file and choose the most appropriate for your file.

使用您在网站上托管的纯文本配置文件启用和配置MTA-STS。 然后，受支持的邮件服务器将自动连接到您的网站以检索该文件，这将导致启用MTA-STS。 在第一步中，您将了解此文件的可用选项，并选择最适合您的文件。

Firstly, open a new text file in your home directory so that you have somewhere to write down your desired configuration:

首先，在您的主目录中打开一个新的文本文件，以便您可以在此处写下所需的配置：

We will first go over an example, and then you will write your own configuration file.

我们将首先介绍一个示例，然后您将编写自己的配置文件。

Following is an example of an MTA-STS configuration file:

以下是MTA-STS配置文件的示例：

version: STSv1
mode: enforce
mx: mail1.your-domain
mx: mail2.your-domain
max_age: 604800

This example configuration file specifies that all email delivered to mail1.your-domain and mail2.your-domain from supported providers must be delivered over a valid TLS connection. If a valid TLS connection cannot be established with your mail server (for example, if the certificate has expired or is self-signed), the email will not be delivered.

此示例配置文件指定将所有电子邮件传递到mail1. your-domain mail1. your-domain和mail2. your-domain 必须通过有效的TLS连接来传递来自受支持的提供程序的mail2. your-domain 。 如果无法与您的邮件服务器建立有效的TLS连接(例如，如果证书已过期或是自签名的)，则不会发送电子邮件。

This will make it much more challenging for an attacker to intercept and snoop on/modify your email in a situation like a man-in-the-middle attack. This is because having MTA-STS enabled properly only allows email to be transmitted over a valid TLS connection, which requires a valid TLS certificate. It would be hard for an attacker to acquire such a certificate, as doing so usually requires privileged access to your domain name and/or website.

这将使攻击者在中间人攻击之类的情况下拦截和监听/修改您的电子邮件时更具挑战性。 这是因为正确启用MTA-STS仅允许通过有效的TLS连接传输电子邮件，这需要有效的TLS证书。 攻击者很难获得这样的证书，因为这样做通常需要特权访问您的域名和/或网站。

As shown in the example earlier in this step, the configuration file consists of a number of key/value pairs:

如本步骤前面的示例所示，配置文件由许多键/值对组成：

• version:

  version ：

  • Purpose: To specify the version of the MTA-STS specification to use.

    目的 ：指定要使用的MTA-STS规范的版本。

  • Accepted Values: Currently the only accepted value is STSv1.

    接受的值 ：当前唯一接受的值为STSv1 。

  • Example: version: STSv1

    示例 ： version: STSv1

• mode:

  mode ：

  • Purpose: Specify which mode MTA-STS should be enabled in.

    目的 ：指定应启用MTA-STS的模式。

  • • enforce: Force all incoming email from supported providers to use valid TLS.

      enforce ：强制所有从受支持的提供商收到的电子邮件使用有效的TLS。

    • testing: Report-only mode. email will not be blocked, but TLSRPT reports are still sent.

      testing ：仅报告模式。 电子邮件不会被阻止，但是TLSRPT报告仍会发送。

    • none: Disable MTA-STS.

      none ：禁用MTA-STS。

    Accepted Values:

    接受的值 ：

  • Example: mode: enforce

    示例 ： mode: enforce

• mx:

  mx ：

  • Purpose: To specify which mail servers are allowed to handle email for your domain. This should match the servers specified in your mx records.

    目的 ：指定允许哪些邮件服务器处理您的域的电子邮件。 这应与您的mx记录中指定的服务器匹配。

  • Accepted Values: Fully-qualified domain name of a mail server, or a wildcard host. Multiple mx: values must be used to specify multiple mail servers.

    接受的值 ：邮件服务器或通配符主机的全限定域名。 多个mx:值必须用于指定多个邮件服务器。

  • Example: mx: mail1.your-domain, mx: mail2.your-domain, mx: *.example.org

    示例 ： mx: mail1. your-domain mx: mail1. your-domain ， mx: mail2. your-domain mx: mail2. your-domain ， mx: *.example.org

• max_age:

  max_age ：

  • Purpose: To specify the maximum lifetime of the MTA-STS policy, in seconds.

    目的 ：以秒为单位指定MTA-STS策略的最长生存期。

  • Accepted Values: Any positive integer up to 31557600.

    可接受的值 ：任何最大31557600的正整数。

  • Example: max_age: 604800 (1 week)

    示例 ： max_age: 604800 (1周)

You can also view the official specification for the key/value pairs in Section 3.2 of the MTA-STS RFC.

您还可以在MTA-STS RFC的3.2节中查看键/值对的正式规范。

Warning: Enabling MTA-STS in enforce mode could unexpectedly cause some email not to be delivered to you. Instead, it is recommended to use mode: testing and a low max_age: value at first, in order to ensure that everything is working correctly before turning on MTA-STS fully.

警告：在enforce模式下启用MTA-STS可能会意外导致某些电子邮件无法发送给您。 相反，建议首先使用mode: testing和较低的max_age:值，以确保在完全打开MTA-STS之前一切正常。

Using the example file earlier in the step, as well as the preceding key/value pair examples, write your desired MTA-STS policy file and save it to the file that you created at the start of the step.

使用本步骤前面的示例文件以及前面的键/值对示例，编写所需的MTA-STS策略文件并将其保存到在步骤开始时创建的文件中。

The following example file is ideal for testing MTA-STS, as it will not cause any emails to be unexpectedly blocked, and has a max_age of only 1 day, meaning that if you decide to disable it, the configuration will expire quickly. Note that some email providers will only send TLSRPT reports if the max_age is greater than 1 day, which is why 86401 seconds is a good choice (1 day and 1 second).

以下示例文件非常适合测试MTA-STS，因为它不会导致任何电子邮件被意外阻止，并且max_age只有1天，这意味着如果您决定禁用它，则配置将很快过期。 请注意，某些电子邮件提供商仅在max_age大于1天时才发送TLSRPT报告，这就是为什么86401秒是一个不错的选择(1天max_age 1秒)的原因。

version: STSv1
mode: testing
mx: mail1.your-domain
mx: mail2.your-domain
max_age: 86401

In this step you created your desired MTA-STS configuration file and saved it to your home area. In the next step, you will configure an Apache web server to serve the file in the correct format.

在此步骤中，您创建了所需的MTA-STS配置文件并将其保存到您的家庭区域。 在下一步中，您将配置Apache Web服务器以正确的格式提供文件。

第2步-配置Apache服务您的MTA-STS策略文件 (Step 2 — Configuring Apache to Serve Your MTA-STS Policy File)

In this step, you’ll configure an Apache virtual host to serve your MTA-STS configuration file, and then add a DNS record to allow the site to be accessed from a subdomain.

在此步骤中，您将配置一个Apache虚拟主机来为您的MTA-STS配置文件提供服务，然后添加DNS记录以允许从子域访问该站点。

In order for your MTA-STS configuration file to be automatically discovered by mail servers, it must be served at exactly the right path: https://mta-sts.your-domain/.well-known/mta-sts.txt. You must use the mta-sts subdomain over HTTPS and the /.well-known/mta-sts.txt path, otherwise your configuration will not work.

为了使邮件服务器自动发现您的MTA-STS配置文件，必须在正确的路径下提供该文件： https://mta-sts. your-domain /.well-known/mta-sts.txt https://mta-sts. your-domain /.well-known/mta-sts.txt 。 您必须通过HTTPS和/.well-known/mta-sts.txt路径使用mta-sts子域，否则您的配置将无法工作。

This can be achieved by creating a new Apache virtual host for the mta-sts subdomain, which will serve the MTA-STS policy file. This step builds upon the base configuration that you’ll have set up in the prerequisite step How to Install the Apache Web Server on Ubuntu 18.04.

这可以通过为mta-sts子域创建一个新的Apache虚拟主机来实现，该主机将为MTA-STS策略文件提供服务。 此步骤基于您在先决条件步骤如何在Ubuntu 18.04上安装Apache Web服务器所设置的基本配置。

Firstly, create a directory for your virtual host:

首先，为您的虚拟主机创建一个目录：

If you’re hosting multiple different domains on your web server, it is recommended to use a different MTA-STS virtual host for each, for example /var/www/mta-sts-site1 and /var/www/mta-sts-site2.

如果要在Web服务器上托管多个不同的域，建议为每个域使用不同的MTA-STS虚拟主机，例如/var/www/mta-sts-site1和/var/www/mta-sts-site2 。

Next, you need to create the .well-known directory, which is where your MTA-STS configuration file will be stored. .well-known is a standardized directory for ‘well-known’ files, such as TLS certificate validation files, security.txt, and more.

接下来，您需要创建.well-known目录，该目录将存储MTA-STS配置文件。 .well-known是“知名”文件的标准化目录，例如TLS证书验证文件， security.txt等。

Now you can move the MTA-STS policy file that you created in Step 1 into the web server directory that you just created:

现在，您可以将在步骤1中创建的MTA-STS策略文件移动到刚创建的Web服务器目录中：

You can check that the file was copied correctly if you wish:

您可以根据需要检查文件是否已正确复制：

This will output the contents of the file that you created in Step 1.

这将输出您在步骤1中创建的文件的内容。

In order for Apache to serve the file, you’ll need to configure the new virtual host and enable it. MTA-STS only works over HTTPS, so you’ll use port 443 (HTTPS) exclusively, rather than using port 80 (HTTP) as well.

为了让Apache提供文件，您需要配置新的虚拟主机并启用它。 MTA-STS仅通过HTTPS起作用，因此您将仅使用端口443 (HTTPS)，而不是也使用端口80 (HTTP)。

Firstly, create a new virtual host configuration file:

首先，创建一个新的虚拟主机配置文件：

Like with the virtual host directory, if you are hosting multiple different domains on the same web server, it is recommended to use a different virtual host name for each.

与虚拟主机目录类似，如果要在同一Web服务器上托管多个不同的域，则建议为每个域使用不同的虚拟主机名。

Then, copy the following sample configuration into the file, and populate the variables where required:

然后，将以下样本配置复制到文件中，并在需要时填充变量：

<IfModule mod_ssl.c>
<VirtualHost your-server-ipv4-address:443 [your-server-ipv6-address]:443>ServerName mta-sts.your-domainDocumentRoot /var/www/mta-stsErrorDocument 403 "403 Forbidden - This site is used to specify the MTA-STS policy for this domain, please see '/.well-known/mta-sts.txt'. If you were not expecting to see this, please use <a href=\"https://your-domain\" rel=\"noopener\">https://your-domain</a> instead."RewriteEngine OnRewriteOptions IgnoreInheritRewriteRule !^/.well-known/mta-sts.txt - [L,R=403]SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pemSSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.keyInclude /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>

This configuration will create the mta-sts virtual host, which will be served at mta-sts.your-domain. It will also redirect all requests, except for those to the mta-sts.txt file itself, to a custom 403 Forbidden error page, with a friendly explanation of what the subdomain site is for. This is to help ensure that any visitors who accidentally come across your MTA-STS site aren’t inadvertently confused.

此配置将创建mta-sts虚拟主机，该主机将在mta-sts. your-domain mta-sts. your-domain 。 它将所有请求(重定向到mta-sts.txt文件本身)重定向到自定义的403 Forbidden错误页面，并提供子域站点的用途的友好说明。 这是为了确保不会意外地使任何偶然访问您的MTA-STS网站的访问者感到困惑。

Currently, a self-signed TLS certificate is used. This is not ideal, as a fully valid/trusted certificate is required for MTA-STS to work correctly. In Step 3, you will acquire a TLS certificate using Let’s Encrypt.

当前，使用了自签名TLS证书。 这不是理想的，因为要使MTA-STS正常工作，需要完全有效/受信任的证书。 在第3步中，您将使用Let's Encrypt获得TLS证书。

Next, ensure that the required Apache modules are enabled:

接下来，确保启用了必需的Apache模块：

After that, enable the new virtual host:

之后，启用新的虚拟主机：

Then, run a syntax check of the Apache configuration files, to ensure that there aren’t any unexpected errors:

然后，对Apache配置文件运行语法检查，以确保没有任何意外错误：

When the test passes with no errors, you can restart Apache to fully enable the new virtual host:

如果测试顺利通过，则可以重新启动Apache以完全启用新的虚拟主机：

Now that the Apache virtual host has been set up and configured, you need to create the required DNS record(s) to allow it to be accessed using the fully-qualified domain name mta-sts.your-domain.

现在已经设置并配置了Apache虚拟主机，您需要创建所需的DNS记录，以允许使用完全限定的域名mta-sts. your-domain访问它mta-sts. your-domain mta-sts. your-domain 。

The way that this is done depends on the DNS hosting provider that you use. However, if you use DigitalOcean as your DNS provider, simply navigate to your project, followed by clicking on your domain.

完成此操作的方式取决于您使用的DNS托管提供程序。 但是，如果您将DigitalOcean用作DNS提供程序，则只需导航到您的项目，然后单击您的域即可。

Finally, add the required DNS records for the mta-sts subdomain. If your Droplet only uses IPv4, create an A record for mta-sts, pointing to your-server-ipv4-address. If you use IPv6 as well, create an AAAA record pointing to your-server-ipv6-address.

最后，为mta-sts子域添加所需的DNS记录。 如果您的Droplet仅使用IPv4，则为mta-sts创建一个A记录，指向your-server-ipv4-address 。 如果还使用IPv6，则创建一个指向your-server-ipv6-address的AAAA记录。

In this step, you created and configured a new Apache virtual host for your MTA-STS subdomain, then added the required DNS record(s) to allow it to be accessed easily. In the next step, you will acquire a trusted Let’s Encrypt certificate for your MTA-STS subdomain.

在此步骤中，您为MTA-STS子域创建并配置了一个新的Apache虚拟主机，然后添加了所需的DNS记录以使其易于访问。 在下一步中，您将为MTA-STS子域获取一个受信任的Let's Encrypt证书。

第3步-为您的MTA-STS子域获取“让我们加密证书” (Step 3 — Acquiring a Let’s Encrypt Certificate for Your MTA-STS Subdomain)

In this step, you’ll acquire a TLS certificate from Let’s Encrypt, to allow your mta-sts.your-domain site to be served correctly over HTTPS.

在此步骤中，您将从Let's Encrypt获得TLS证书，以允许您的mta-sts. your-domain mta-sts. your-domain站点可以通过HTTPS正确提供。

In order to do this, you’ll use certbot, which you set up as part of the prerequisite step How To Secure Apache with Let’s Encrypt on Ubuntu 18.04.

为了做到这一点，您将使用certbot ，它是先决步骤中如何在Ubuntu 18.04上使用Let's Encrypt保护Apache的一部分。

Firstly, run certbot to issue a certificate for your mta-sts subdomain using the Apache plugin verification method:

首先，运行certbot使用Apache插件验证方法为您的mta-sts子域颁发证书：

This will automatically issue a trusted certificate and install it on your Apache web server. When the Certbot wizard asks about configuring a HTTP -> HTTPS redirect, select 'No’, as this is not required for MTA-STS.

这将自动颁发受信任的证书并将其安装在Apache Web服务器上。 当Certbot向导询问有关配置HTTP-> HTTPS重定向时，请选择“否”，因为MTA-STS不需要这样做。

To finish, test your new virtual host to ensure that it is working correctly. Use a web browser to visit https://mta-sts.your-domain/.well-known/mta-sts.txt, or use a command-line tool such as curl:

最后，请测试新的虚拟主机以确保其正常运行。 使用网络浏览器访问https://mta-sts. your-domain /.well-known/mta-sts.txt https://mta-sts. your-domain /.well-known/mta-sts.txt ，或使用curl等命令行工具：

This will output the MTA-STS policy file that you created in Step 1:

这将输出您在步骤1中创建的MTA-STS策略文件：

version: STSv1
mode: testing
mx: mail1.your-domain
mx: mail2.your-domain
max_age: 86401

If an error occurs, ensure that the virtual host configuration from Step 2 is correct, and that you have added a DNS record for the mta-sts subdomain.

如果发生错误，请确保步骤2中的虚拟主机配置正确，并且已为mta-sts子域添加了DNS记录。

In this step, you issued a Let’s Encrypt TLS certificate for your mta-sts subdomain, and tested that it’s working. Next, you’ll set some DNS TXT records to fully enable MTA-STS and TLSRPT.

在此步骤中，您为mta-sts子域颁发了“让我们加密TLS”证书，并对其进行了测试。 接下来，您将设置一些DNS TXT记录以完全启用MTA-STS和TLSRPT。

步骤4 —配置启用MTA-STS和TLSRPT所需的DNS记录 (Step 4 — Configuring the DNS Records Required to Enable MTA-STS and TLSRPT)

In this step, you’ll configure two DNS TXT records, which will fully enable the MTA-STS policy that you have already created, and also enable TLS Reporting (TLSRPT).

在此步骤中，您将配置两个DNS TXT记录，这将完全启用您已经创建的MTA-STS策略，并启用TLS报告(TLSRPT)。

These DNS records can be configured using any DNS hosting provider, but in this example, DigitalOcean is used as the provider.

可以使用任何DNS托管提供程序配置这些DNS记录，但是在此示例中，将DigitalOcean用作提供程序。

Firstly, log on to your DigitalOcean control panel and navigate to your project, followed by clicking on your domain.

首先，登录到DigitalOcean控制面板并导航到您的项目，然后单击您的域。

You then need to add the following two TXT records:

然后，您需要添加以下两个TXT记录：

_mta-sts.your-domain IN TXT "v=STSv1; id=id-value"
_smtp._tls.your-domain IN TXT "v=TLSRPTv1; rua=reporting-address"

id-value is a string used to identify the version of your MTA-STS policy in place. If you update your policy, you’ll need to also update the id value to ensure that the new version is detected by mail providers. It is recommended to use the current date stamp as the id, for example 20190811231231 (23:12:31 on 11th Aug 2019).

id-value是用于标识适当的MTA-STS策略版本的字符串。 如果更新策略，则还需要更新id值，以确保邮件提供商可以检测到新版本。 建议使用当前日期戳作为id ，例如20190811231231 (2019年8月11日23:12:31)。

reporting-address is the address where your TLS reports will be sent to. This can be either an email address prefixed with mailto:, or a web URI, for example for an API that collects reports. The reporting address doesn’t have to be an address on your-domain. You may use a completely different domain if you wish.

reporting-address是您的TLS报告将发送到的地址。 这可以是带有mailto:前缀的电子邮件地址，也可以是Web URI，例如用于收集报告的API。 报告地址不必是your-domain上的地址。 如果您愿意，可以使用完全不同的域。

For example, the following two sample records are both valid:

例如，以下两个示例记录均有效：

_mta-sts.your-domain IN TXT "v=STSv1; id=20190811231231"
_smtp._tls.your-domain IN TXT "v=TLSRPTv1; rua=mailto:tls-reports@your-domain"

Adjust the variables as required, and set these DNS TXT records in your DigitalOcean control panel (or whichever DNS provider you’re using):

根据需要调整变量，并在DigitalOcean控制面板(或使用的任何DNS提供程序)中设置以下DNS TXT记录：

Once these DNS records have been set and have propagated, MTA-STS will be enabled with the policy that you created in Step 1, and will begin to receive TLSRPT reports at the address that you specified.

设置并传播这些DNS记录后，将使用您在步骤1中创建的策略启用MTA-STS，并将开始在您指定的地址接收TLSRPT报告。

In this step, you configured the DNS records required for MTA-STS to be enabled. Next, you will receive and then interpret your first TLSRPT report.

在此步骤中，您配置了启用MTA-STS所需的DNS记录。 接下来，您将收到然后解释您的第一个TLSRPT报告。

步骤5 —解释您的第一个TLSRPT报告 (Step 5 — Interpreting Your First TLSRPT Report)

Now that you’ve enabled MTA-STS and TLSRPT (TLS Reporting) for your domain, you will begin to receive reports from supported email providers. These reports will show the number of emails that were or were not successfully delivered over TLS, and the reasons for any errors.

现在，您已经为域启用了MTA-STS和TLSRPT(TLS报告)，您将开始接收来自受支持的电子邮件提供商的报告。 这些报告将显示通过TLS成功发送或未成功发送的电子邮件数量，以及出现任何错误的原因。

Different email providers send their reports at different times; for example, Google Mail sends their reports daily at around 10:00 UTC.

不同的电子邮件提供商在不同的时间发送报告； 例如，Google Mail每天在世界标准时间10:00左右发送报告。

Depending on how you configured the TLSRPT DNS record in Step 5, you will either receive your reports via email, or via a web API. This tutorial focuses on the email method, as that is the most common configuration.

根据在步骤5中配置TLSRPT DNS记录的方式，您将通过电子邮件或通过Web API接收报告。 本教程重点介绍电子邮件方法，因为这是最常见的配置。

If you’ve just completed the rest of this tutorial, wait until you receive your first report, then you can resume.

如果您刚刚完成了本教程的其余部分，请等到收到第一份报告后，您才能继续。

Your daily TLSRPT report via email will usually have a subject line similar to the following:

您通过电子邮件发送的每日TLSRPT报告通常具有类似于以下内容的主题行：

Report Domain: your-domain Submitter: google.com Report-ID: <2019.08.10T00.00.00Z+your-domain@google.com>

This email will have an attachment in .gz format, which is a Gzip compressed archive, with a file name similar to the following:

这封电子邮件将带有.gz格式的附件，该附件是Gzip压缩档案，其文件名类似于以下内容：

google.com!your-domain!1565222400!1565308799!001.json.gz

For the rest of this tutorial this file will be referred to as report.json.gz.

在本教程的其余部分中，此文件将称为report.json.gz 。

Save this file to your local machine, and extract it using whichever tool you prefer.

将此文件保存到本地计算机，然后使用您喜欢的任何工具将其解压缩。

If you’re using a Debian-based Linux system, you will be able to run the gzip -d command to decompress the archive:

如果您使用的是基于Debian的Linux系统，则可以运行gzip -d命令解压缩档案文件：

This will result in a JSON file called report.json.

这将生成一个名为report.json的JSON文件。

Next, you can view the report either directly as the raw JSON string, or use your favorite JSON prettifier to put it into a more readable format. In this example, jq will be used, but you could also use Python’s json.tool if you wish.

接下来，您可以直接将报告作为原始JSON字符串查看，也可以使用您喜欢的JSON前缀将其放入更具可读性的格式中。 在此示例中，将使用jq ，但如果愿意，也可以使用Python的json.tool 。

Note: If you don’t have jq installed, you can install it using apt install jq. Or, for other operating systems use the necessary installation instructions from jq.

注意：如果尚未安装jq，则可以使用apt install jq进行apt install jq 。 或者，对于其他操作系统，请使用jq中的必要安装说明 。

This will output something similar to the following:

这将输出类似于以下内容：

{"organization-name": "Google Inc.","date-range": {"start-datetime": "2019-08-10T00:00:00Z","end-datetime": "2019-08-10T23:59:59Z"},"contact-info": "smtp-tls-reporting@google.com","report-id": "2019-08-10T00:00:00Z_your-domain","policies": [{"policy": {"policy-type": "sts","policy-string": ["version: STSv1","mode: testing","mx: mail1.your-domain","mx: mail2.your-domain","max_age: 86401"],"policy-domain": "your-domain"},"summary": {"total-successful-session-count": 230,"total-failure-session-count": 0}}]
}

The report shows the provider that generated the report and the reporting period, as well as the MTA-STS policy that was applied. However, the main section that you’ll be interested in is summary, specifically the successful and failed session counts.

该报告显示生成报告的提供者和报告期间，以及所应用的MTA-STS策略。 但是，您将感兴趣的主要部分是summary ，特别是成功和失败的会话计数。

This sample report shows that 230 emails were successfully delivered over TLS from the mail provider that generated the report, and 0 email deliveries failed to establish a proper TLS connection.

此示例报告显示，生成报告的邮件提供商已通过TLS成功传递了230封电子邮件，并且0封电子邮件传递未能建立正确的TLS连接。

In the event that there is a failure—for example, if a TLS certificate expires or there is an attacker on the network—the failure mode will be documented in the report. Some examples of failure modes are:

如果发生故障(例如，如果TLS证书过期或网络上存在攻击者)，则故障模式将记录在报告中。 失败模式的一些示例是：

• starttls-not-supported: If the receiving mail server doesn’t support STARTTLS.

  starttls-not-supported ：如果接收邮件服务器不支持STARTTLS。

• certificate-expired: If a certificate has expired.

  certificate-expired ：如果证书已过期。

• certificate-not-trusted: If a self-signed or other non-trusted certificate is used.

  certificate-not-trusted ：如果使用自签名或其他不可信证书。

In this final step, you received and then interpreted your first TLSRPT report.

在此最后一步中，您收到并解释了您的第一份TLSRPT报告。

结论 (Conclusion)

In this article you set up and configured MTA-STS and TLS Reporting for your domain, and interpreted your first TLSRPT report.

在本文中，您将为您的域设置和配置MTA-STS和TLS报告，并解释您的第一个TLSRPT报告。

Once MTA-STS has been enabled and working stably for a while, it is recommended to adjust the policy, increasing the max_age value, and eventually switching it to enforce mode once you are sure that all email from supported providers is being delivered successfully over TLS.

一旦启用了MTA-STS并稳定运行了一段时间，建议您在确保通过TLS成功发送了所有受支持提供商的电子邮件之后，调整策略，增加max_age值并最终将其切换为enforce模式。 。

Finally, if you’d like to learn more about the MTA-STS and TLSRPT specifications, you can review the RFCs for both of them:

最后，如果您想了解有关MTA-STS和TLSRPT规范的更多信息，可以查看它们的RFC：

• RFC8461 - SMTP MTA Strict Transport Security (MTA-STS)

  RFC8461-SMTP MTA严格传输安全性(MTA-STS)

• RFC8460 - SMTP TLS Reporting

  RFC8460-SMTP TLS报告

翻译自: https://www.digitalocean.com/community/tutorials/how-to-configure-mta-sts-and-tls-reporting-for-your-domain-using-apache-on-ubuntu-18-04

ubuntu配置mta