Scroll to navigation

MTA-STS-DAEMON.YML(5) mta-sts-daemon.yml MTA-STS-DAEMON.YML(5)

NAME

mta-sts-daemon.yml - configuration file for mta-sts-daemon

DESCRIPTION

This configuration file configures the listening socket, caching behaviour, and manipulation of MTA-STS mode.

SYNTAX

The file is in YAML syntax with the following elements:

host: (str) daemon bind address. Default: 127.0.0.1

port: (int) daemon bind port. Default: 8461

path: (str) daemon UNIX socket bind address (path). If specified, host and port are ignored and UNIX socket is bound instead of TCP.

mode: (int) file mode for daemon UNIX socket. If not specified default filemode is used. This option has effect only when UNIX socket is used. If file mode specified in octal form (most common case), it has to be prepended with leading zero. Example: 0666

reuse_port: (bool) allow multiple instances to share same port (available on Unix, Windows). Default: true

cache_grace: (float) age of cache entries in seconds which do not require policy refresh and update. Default: 60

shutdown_timeout: (float) time limit granted to existing client sessions for finishing when server stops. Default: 20

cache

type: (str: internal|sqlite|redis) cache backend type. Default: internal

options:

•Options for internal type:

cache_size: (int) number of cache entries to store in memory. Default: 10000

•Options for sqlite type:

filename: (str) path to database file

threads: (int) number of threads in pool for SQLite connections. Default: number of CPUs

timeout: (float) timeout in seconds for acquiring connection from pool or DB lock. Default: 5

•Options for redis type:

•All parameters are passed to aioredis.from_url [0]. Check there for a parameter reference.

proactive_policy_fetching

enabled: (bool) enable proactive policy fetching in the background. Default: false

interval: (int) if proactive policy fetching is enabled, it is scheduled every this many seconds. It is unaffected by cache_grace and vice versa. Default: 86400

concurrency_limit: (int) the maximum number of concurrent domain updates. Default: 100

grace_ratio: (float) proactive fetch for a particular domain is skipped if its cached policy age is less than interval/grace_ratio. Default: 2.0

default_zone

strict_testing: (bool) enforce policy for testing domains. Default: false

timeout: (int) network operations timeout for resolver in that zone. Default: 4

require_sni: (bool) add option servername=hostname to policy responses to make Postfix send SNI in TLS handshake as required by RFC 8461. Requires Postfix version 3.4+. Default: true

zones

ZONENAME:

•Same as options in default_zone

The timeout is used for the DNS and HTTP requests.

MTA-STS "testing" mode can be interpreted as "strict" mode. This may be useful (though noncompliant) in the beginning of MTA-STS deployment, when many domains operate under "testing" mode.

EXAMPLE

host: 127.0.0.1
port: 8461
reuse_port: true
shutdown_timeout: 20
proactive_policy_fetching:

enabled: true
interval: 86400
concurrency_limit: 100
grace_ratio: 2 cache:
type: internal
options:
cache_size: 10000 default_zone:
strict_testing: false
timeout: 4 zones:
myzone:
strict_testing: false
timeout: 4

SEE ALSO

mta-sts-daemon(1), mta-sts-query(1)

NOTES

0.

2022-10-15 postfix-mta-sts-resolver