(MTA-STS) is a mechanism enabling mail service providers (SPs) to declare their ability to receive Transport Layer Security (TLS) secure SMTP connections and to specify whether sending SMTP servers should refuse to deliver to MX hosts that do not offer TLS with a signed certificate.
G_MTASTS "True"
Enable MTA-STS ssl/tls rules. This uses DNS entries to discover if receiving server should have a signed SSL certificate"
G_MTASTS_WHITE "xyz.com,fred.com"
Domains to ignore MTA-STS rules, Whitelist for destination domains we should just send to anyway even if MTA-STS suggests otherwise.
G_MTASTS_REPORT "true"
Alert manager on MTASTS failures. Most failures will be due to something other than real hackers, so this alert helps you resolve issues, and add whitelist rules g_mtasts_white settings for problem domains
In addition you may wish to add your own MTA-STS file to your domain to enforce your own policy.
The url you need to create should be:
https://mta-sts.YOUR.DOMAIN/.well-known/mta-sts.txt"
And in that file you should have something like:
version: STSv1
mode: enforce
mx: mail1.your.domain.com
mx: mail2.your.domain.com
max_age: 604800
If mta-sts.your.domain points to your surgemail server!, then you could place this file in the folder: (surgemail home)/www/.well-known
You must also add a dns 'txt' record for your domain:
_mta-sts.
your.domain.com "v=STSv1; id=20240610T010101;"
If your policy changes you must update the id FIELD.