From 0b87cbfd062d31814c877614a5c2e388ee5eb416 Mon Sep 17 00:00:00 2001
From: Kristian Klausen <kristian@klausen.dk>
Date: Sun, 15 May 2022 15:31:37 +0200
Subject: [PATCH] mta_sts: Switch to enforce mode and bump max_age to 30 days

Checking the SMTP TLS reports, the last failure was 2021-12-10/11 from
Mail.ru and 2021-08-28/29 from Google.

Bumping the max_age to 30 days as the RFC states: "To mitigate the risks
of attacks at policy refresh time, it is expected that this value
typically be in the range of weeks or greater."[1].

[1] https://datatracker.ietf.org/doc/html/rfc8461
---
 roles/mta_sts/templates/nginx.d.conf.j2 | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/roles/mta_sts/templates/nginx.d.conf.j2 b/roles/mta_sts/templates/nginx.d.conf.j2
index 31e9b74e4..f17ebec4e 100644
--- a/roles/mta_sts/templates/nginx.d.conf.j2
+++ b/roles/mta_sts/templates/nginx.d.conf.j2
@@ -32,7 +32,7 @@ server {
 
     location = /.well-known/mta-sts.txt {
         default_type text/plain;
-        return 200 'version: STSv1\nmode: testing\nmax_age: 604800\nmx: {{ config.mx | join('\\nmx: ')}}\n';
+        return 200 'version: STSv1\nmode: enforce\nmax_age: 2592000\nmx: {{ config.mx | join('\\nmx: ')}}\n';
     }
 
     location / {
-- 
GitLab