From 4a802c15d84bc4cc834c1b50536fc80de74fd2e7 Mon Sep 17 00:00:00 2001 From: Julian Pawlowski <75446+jpawlowski@users.noreply.github.com> Date: Sat, 2 Mar 2024 10:30:09 +0100 Subject: [PATCH] update max_age recommendation --- .editorconfig | 22 ++++++++ .gitattributes | 10 ++++ .gitignore | 116 ++++++++++++++++++++++++++++++++++++++++ .markdownlint.json | 6 +++ .well-known/mta-sts.txt | 2 +- LICENSE.md | 2 +- README.md | 8 +-- 7 files changed, 160 insertions(+), 6 deletions(-) create mode 100644 .editorconfig create mode 100644 .gitattributes create mode 100644 .gitignore create mode 100644 .markdownlint.json diff --git a/.editorconfig b/.editorconfig new file mode 100644 index 0000000..7a74ec0 --- /dev/null +++ b/.editorconfig @@ -0,0 +1,22 @@ +# EditorConfig is awesome: https://EditorConfig.org + +# top-most EditorConfig file +root = true + +# Unix-style newlines with a newline ending every file +[*] +end_of_line = lf + +# CSV, Markdown, and Text files +[*.{csv,md,txt}] +trim_trailing_whitespace = true + +# JSON and XML files +[*.{json,xml,yml,code-workspace}] +indent_style = space +indent_size = 2 + +# Matches the exact file .editorconfig +[.editorconfig] +indent_style = space +indent_size = 2 diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..8f7bece --- /dev/null +++ b/.gitattributes @@ -0,0 +1,10 @@ +# Set the default behavior, in case people don't have core.autocrlf set. +* text=auto + +# Set svg to binary type, as SVG is unlikely to be editted by hand. Can be treated as checked in blob +*.svg binary + +# Denote all files that are truly binary and should not be modified. +*.png binary +*.jpg binary +*.pdf binary diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..7e98175 --- /dev/null +++ b/.gitignore @@ -0,0 +1,116 @@ +# Created by https://www.toptal.com/developers/gitignore/api/git,linux,macos,windows,visualstudiocode,dotenv +# Edit at https://www.toptal.com/developers/gitignore?templates=git,linux,macos,windows,visualstudiocode,dotenv + +### dotenv ### +.env + +### Git ### +# Created by git for backups. To disable backups in Git: +# $ git config --global mergetool.keepBackup false +*.orig + +# Created by git when using merge tools for conflicts +*.BACKUP.* +*.BASE.* +*.LOCAL.* +*.REMOTE.* +*_BACKUP_*.txt +*_BASE_*.txt +*_LOCAL_*.txt +*_REMOTE_*.txt + +### Linux ### +*~ + +# temporary files which can be created if a process still has a handle open of a deleted file +.fuse_hidden* + +# KDE directory preferences +.directory + +# Linux trash folder which might appear on any partition or disk +.Trash-* + +# .nfs files are created when an open file is removed but is still being accessed +.nfs* + +### macOS ### +# General +.DS_Store +.AppleDouble +.LSOverride + +# Icon must end with two \r +Icon + +# Thumbnails +._* + +# Files that might appear in the root of a volume +.DocumentRevisions-V100 +.fseventsd +.Spotlight-V100 +.TemporaryItems +.Trashes +.VolumeIcon.icns +.com.apple.timemachine.donotpresent + +# Directories potentially created on remote AFP share +.AppleDB +.AppleDesktop +Network Trash Folder +Temporary Items +.apdisk + +### macOS Patch ### +# iCloud generated files +*.icloud + +### VisualStudioCode ### +.vscode/* +!.vscode/settings.json +!.vscode/tasks.json +!.vscode/launch.json +!.vscode/extensions.json +!.vscode/*.code-snippets +!.vscode/PSScriptAnalyzerSettings.psd1 +!.vscode/PSScriptAnalyzerCustomRules.ps1 + +# Local History for Visual Studio Code +.history/ + +# Built Visual Studio Code Extensions +*.vsix + +### VisualStudioCode Patch ### +# Ignore all local history of files +.history +.ionide + +### Windows ### +# Windows thumbnail cache files +Thumbs.db +Thumbs.db:encryptable +ehthumbs.db +ehthumbs_vista.db + +# Dump file +*.stackdump + +# Folder config file +[Dd]esktop.ini + +# Recycle Bin used on file shares +$RECYCLE.BIN/ + +# Windows Installer files +*.cab +*.msi +*.msix +*.msm +*.msp + +# Windows shortcuts +*.lnk + +# End of https://www.toptal.com/developers/gitignore/api/git,linux,macos,windows,visualstudiocode,dotenv diff --git a/.markdownlint.json b/.markdownlint.json new file mode 100644 index 0000000..d0f88fc --- /dev/null +++ b/.markdownlint.json @@ -0,0 +1,6 @@ +{ + "MD012": false, + "MD013": false, + "MD033": false, + "MD041": false +} diff --git a/.well-known/mta-sts.txt b/.well-known/mta-sts.txt index f2b9a53..8530a9e 100644 --- a/.well-known/mta-sts.txt +++ b/.well-known/mta-sts.txt @@ -3,5 +3,5 @@ mode: [enforce|testing|none] # 1. Decide your mode. mx: mx1.your_domain.tld # 2. Add your primary mailserver hostname (see MX records in your DNS) mx: mx2.your_domain.tld # 3. If you have secondary mailservers, add one line for each. # In case all servers share the same subdomain, you may also use wildcards like *.mail.protection.outlook.com -max_age: 604800 # 4. Depending on your mode above, 604800 seconds = 1 week might be a good value. +max_age: 1209600 # 4. Depending on your mode above, 1209600 seconds = 2 weeks might be a good value. # 5. Remove all the comments (if that wasn't obvious to you). diff --git a/LICENSE.md b/LICENSE.md index 9b607f0..97734e4 100644 --- a/LICENSE.md +++ b/LICENSE.md @@ -1,6 +1,6 @@ MIT License -Copyright @ 2023 Julian Pawlowski +Copyright @ 2024 Julian Pawlowski Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal diff --git a/README.md b/README.md index 338bdde..7ebcc24 100644 --- a/README.md +++ b/README.md @@ -23,11 +23,12 @@ In case the sending e-mail server is not able to initiate a secure connection, i 2. Change the file `.well-known/mta-sts.txt` according to your needs. -3. Create a `CNAME` record for `mta-sts.` in your domain's DNS that points to `.github.io` or `.github.io` and [enable GitHub Pages](https://docs.github.com/articles/using-a-custom-domain-with-github-pages/). +3. Create a `CNAME` record for `mta-sts.` in your domain's DNS that points to `.github.io` or `.github.io` and [enable GitHub Pages](https://docs.github.com/articles/using-a-custom-domain-with-github-pages/). 4. Open a browser to `https://mta-sts.` and make sure it does not show any certificate warnings. 5. Create a `TXT` record for `_mta-sts.` in your domain's DNS to enable the MTA-STS policy for your domain. + You may copy & paste this to your DNS provider: ```dns @@ -36,11 +37,10 @@ In case the sending e-mail server is not able to initiate a secure connection, i ``` **Note that you will need to change the `id=` here whenever you make changes to your `mta-sts.txt` policy file.** - 6. Validate your setup, for example by using the [MTA-STS Lookup by MXToolBox](https://mxtoolbox.com/mta-sts.aspx), or looking into your [Hardenize Public Report](https://www.hardenize.com/). -*Optional (but __highly recommended__):* +_Optional (but **highly recommended**):_ 7. Create another `TXT` record for `_smtp._tls.` in your domain's DNS to enable reporting (see [RFC 8460](https://datatracker.ietf.org/doc/html/rfc8460)). You may copy & paste this to your DNS provider: @@ -52,7 +52,7 @@ In case the sending e-mail server is not able to initiate a secure connection, i Note that the e-mail recipient mailbox shall be on a different domain _without_ MTA-STS being configured. This could be a subdomain like `mailcheck.`. It is also quite painful to manually deal with the reports other e-mail providers will send to you. For that particular reason, you may want to consider sending these e-mails to a 3rd-party tool like [Report URI](https://report-uri.com/), [URIports](https://www.uriports.com/), or from other commercial providers. - + You probably want this to be the same tool you might use for DMARC reports, like [DMARC Analyzer](https://www.dmarcanalyzer.com/) or [Dmarcian](https://dmarcian.com/). ## License