25 lines
1.4 KiB
Markdown
25 lines
1.4 KiB
Markdown
# MTA-STS for performancewest.net
|
|
|
|
DNS TXT `_mta-sts.performancewest.net` = `v=STSv1; id=20260505` (already published).
|
|
TLS-RPT TXT `_smtp._tls.performancewest.net` published.
|
|
Added A record `mta-sts.performancewest.net -> 207.174.124.71` (Hestia).
|
|
|
|
Policy served at `https://mta-sts.performancewest.net/.well-known/mta-sts.txt`
|
|
from `/var/www/mta-sts/.well-known/mta-sts.txt` (content = mta-sts.txt here).
|
|
|
|
PENDING: Let's Encrypt cert for mta-sts.performancewest.net (waiting on HE.net
|
|
secondary DNS propagation). Once `dig +short mta-sts.performancewest.net @8.8.8.8`
|
|
resolves, run:
|
|
sudo certbot certonly --webroot -w /var/www/certbot -d mta-sts.performancewest.net --non-interactive --agree-tos -m admin@performancewest.net
|
|
then upgrade pw-mta-sts.conf to an HTTPS (443) server block (see pw-listmonk-hc.conf
|
|
pattern) and reload nginx. MTA-STS requires the policy be served over valid HTTPS.
|
|
|
|
## STATUS 2026-06-07
|
|
- DNS A record added + policy file served over HTTP (working).
|
|
- Cert issuance FAILED twice: HE.net secondary DNS is flapping (mta-sts resolves
|
|
on 1.1.1.1/9.9.9.9 but intermittently empty on 8.8.8.8), so Let's Encrypt's
|
|
multi-vantage validation can't get consistent resolution. nginx left on the
|
|
safe HTTP-only vhost. RETRY the certbot command above once `dig +short
|
|
mta-sts.performancewest.net` is stable across 8.8.8.8 / 1.1.1.1 / 9.9.9.9,
|
|
then upgrade to the 443 vhost. (nginx -t before any reload — a missing cert
|
|
ref will break the reload.)
|