From 158b14d555dde2b7a13fa235021a60cd52c6095e Mon Sep 17 00:00:00 2001 From: Julie Zhao Date: Tue, 7 May 2024 14:51:45 -0400 Subject: [PATCH 01/23] add support pages for MTA-STS in Momentum --- .../4/config/mta-sts/enable-mta-sts.md | 31 +++++++ .../mta-sts/mta-sts-dns-cname-max-depth.md | 31 +++++++ .../4/config/mta-sts/mta-sts-policy-store.md | 29 ++++++ .../momentum/4/config/mta-sts/use-mta-sts.md | 27 ++++++ content/momentum/4/mta-sts.md | 91 +++++++++++++++++++ 5 files changed, 209 insertions(+) create mode 100644 content/momentum/4/config/mta-sts/enable-mta-sts.md create mode 100644 content/momentum/4/config/mta-sts/mta-sts-dns-cname-max-depth.md create mode 100644 content/momentum/4/config/mta-sts/mta-sts-policy-store.md create mode 100644 content/momentum/4/config/mta-sts/use-mta-sts.md create mode 100644 content/momentum/4/mta-sts.md diff --git a/content/momentum/4/config/mta-sts/enable-mta-sts.md b/content/momentum/4/config/mta-sts/enable-mta-sts.md new file mode 100644 index 00000000..701539ba --- /dev/null +++ b/content/momentum/4/config/mta-sts/enable-mta-sts.md @@ -0,0 +1,31 @@ +--- +lastUpdated: "06/01/2024" +title: "enable_mta_sts" +description: "config option to enable MTA-STS policy application for outbound mails" +--- + + +## Name + +enable_mta_sts — specify whether Momentum should apply MTA-STS policies on outbound email sending + +## Synopsis + +`enable_mta_sts = "true|false"` + +## Description + +This option is only effective when [use_mta_sts](/momentum/4/config/mta-sts/use-mta-sts) is `true` +for a recipient domain. +This option specified whether Momentum try to apply the retrieved MTA-STS policies when sending +emails to a remote site. See [mta-sts](/momentum/4/mta-sts) for more details. +When this option is `true`, the MTA-STS policy mode will take the preference over the config options + of [TLS](/momentum/4.config/tls) and [TLS_Verify](/momentum/4/config/tls-verify), unless the + MTA-STS policy mode is `none`. + +The default value is `true` when the domain level `use_mta_sts` is `true`. + + +## Scope + +`enable_mta_sts` is valid in the binding, binding_group, domain and global scopes. diff --git a/content/momentum/4/config/mta-sts/mta-sts-dns-cname-max-depth.md b/content/momentum/4/config/mta-sts/mta-sts-dns-cname-max-depth.md new file mode 100644 index 00000000..563b8ac0 --- /dev/null +++ b/content/momentum/4/config/mta-sts/mta-sts-dns-cname-max-depth.md @@ -0,0 +1,31 @@ +--- +lastUpdated: "06/01/2024" +title: "mta_sts_dns_cname_max_depth" +description: "config option on how many continous cname lookups are allowed when doing MTA-STS TXT +record lookup for a domain" +--- + + +## Name + +mta_sts_dns_cname_max_depth — specifies how many continous cname lookups are allowed when doing DNS + lookups for MTA-STS TXT record for a domain. Exceeding the configured value will be treated as a DNS + lookup failure, which will be further treated as no MTA-STS policy available. + +## Synopsis + +`mta_sts_dns_cname_max_depth = 5` + +## Description + +Momentum supports MTA-STS policy delegation, which points the `_mta-sts` TXT record for the policy + domain via `CNAME` (to the `_mta-sts` record maintained by the provider). Momentum's DNS lookup + will follow the `CNAME`s. To avoid a DNS lookup loop, Momentum uses this config option to limit how + many continuous `CNAME` lookups can happen before claiming a lookup failure. + +The default value is `5`. + + +## Scope + +`mta_sts_dns_cname_max_depth` is valid in the domain and global scopes. diff --git a/content/momentum/4/config/mta-sts/mta-sts-policy-store.md b/content/momentum/4/config/mta-sts/mta-sts-policy-store.md new file mode 100644 index 00000000..662d6d26 --- /dev/null +++ b/content/momentum/4/config/mta-sts/mta-sts-policy-store.md @@ -0,0 +1,29 @@ +--- +lastUpdated: "06/01/2024" +title: "mta_sts_policy_store" +description: "the location to store the MTA-STS policy" +--- + + +## Name + +mta_sts_policy_store — specifies how many continous cname lookups are allowed when doing DNS + lookups for MTA-STS TXT record for a domain. Exceeding the configured value will be treated as a DNS + lookup failure, which will be further treated as no MTA-STS policy available. + +## Synopsis + +`mta_sts_policy_store = "/var/spool/ecelerity/mtasts"` + +## Description + +Momentum stores MTA-STS policy for a domain in file on disk, and accesses the HTTPS endpoint to refresh the + policy once every 24 hours. This config option specifies the directory where the policies are stored + on the disk. + +The default value is `/var/spool/ecelerity/mtasts`. + + +## Scope + +`mta_sts_dns_cname_max_depth` is valid in the global scope. diff --git a/content/momentum/4/config/mta-sts/use-mta-sts.md b/content/momentum/4/config/mta-sts/use-mta-sts.md new file mode 100644 index 00000000..7640fd60 --- /dev/null +++ b/content/momentum/4/config/mta-sts/use-mta-sts.md @@ -0,0 +1,27 @@ +--- +lastUpdated: "06/01/2024" +title: "use_mta_sts" +description: "config option to enable MTA-STS policy fetching for a domain" +--- + + +## Name + +use_mta_sts — specify whether Momentum should do MTA-STS policy fetching for a domain or not + +## Synopsis + +`use_mta_sts = "true|false"` + +## Description + +This option specified whether Momentum shall attempt to discover the recipient domain's MTA-STS + policy (via a DNS lookup to retrieve the MTA-STS policy ID and a HTTPS lookup to retrieve the + MTA-STS policy) + +The default value is `false`. + + +## Scope + +`use_mta_sts` is valid in the domain and global scopes. diff --git a/content/momentum/4/mta-sts.md b/content/momentum/4/mta-sts.md new file mode 100644 index 00000000..498a225c --- /dev/null +++ b/content/momentum/4/mta-sts.md @@ -0,0 +1,91 @@ +--- +lastUpdated: "06/01/2024" +title: "MTA-STS support in Momentum" +description: "MTA-STS support in Momentum" +--- + +MTA-STS (MTA Strict Transport Security) improves email security by requiring authentication +checks and encryption for delivering email. RFC 8461 describes the use of MTA-STS for improving +SMTP security between MTAs. + +If the per-domain config option [use_mta_sts](/momentum/4/config/mta-sts/use-mta-sts) is set to `true`, + Momentum will attempt to discover the recipient domain's MTA-STS policy + (via a DNS lookup to retrieve the MTA-STS policy ID and a HTTPS lookup to retrieve the + MTA-STS policy) and use it for validating the connection to the remote site. + If the recipient domain enforces MTA-STS, Momentum delivers email to the remote +domain's MX if and only if the following conditions are satisfied: + - remote site matches at least one of the MX patterns defined in the recipient domain's MTA-STS + policy + - connection to remote site can be encrypted (via the use of STARTTLS) + - Momentum can authenticate both - the certificate chain presented by the server on the connection + and server name in the certificate + +For verifying certificates, Momentum use the configured CA for outbound email defined by + [TLS_CA](/momentum/4/config/tls-ca). + Momentum does not currently check for certificate revocation via the Online Certificate Status +Protocol (RFC 6960). + +Momentum caches the MTA-STS policy for up to `max-age` specified in the policy, and attempts to +refresh the cached policy once every 24 hours. + +Momentum does not currently implement SMTP TLS Reporting (RFC 8460). + +The examples below illustrate a few cases describing how Momentum implements MTA-STS. +For all examples the recipient domain would be domain.com. + +### Example 1: Recipient domain enforces MTA-STS and MX is allowed as per the MTA-STS policy + +> **MTA-STS policy retrieved from https://mta-sts.domain.com/.well-known/mta-sts.txt** +``` +version: STSv1 +mode: enforce +mx: *.domain.com +max_age: 86400 +``` +> **DNS results for domain's MX lookup** +``` +mx1.domain.com +``` +> **Explanation** +> Momentum attempts to deliver email to `mx1.domain.com` as it matches at least one of the +MX patterns defined in the MTA-STS policy. + +### Example 2: Recipient domain enforces MTA-STS and MX is not allowed as per the MTA-STS policy + +> **MTA-STS policy retrieved from https://mta-sts.domain.com/.well-known/mta-sts.txt** +``` +version: STSv1 +mode: enforce +mx: *.domain.com +max_age: 86400 +``` +> **DNS results for domain's MX lookup** +``` +mx1.other.com +``` +> **Explanation** +> Momentum does not attempt to deliver email to `mx1.other.com` as it does not match any of the +MX patterns defined in the MTA-STS policy. + +### Example 3: Recipient domain does not enforce MTA-STS and MX is not allowed as per the MTA-STS +policy + +> **MTA-STS policy retrieved from https://mta-sts.domain.com/.well-known/mta-sts.txt** +``` +version: STSv1 +mode: testing +mx: *.domain.com +max_age: 86400 +``` +> **DNS results for domain's MX lookup** +``` +mx1.other.com +``` +> **Explanation** +> Momentum attempts to deliver email to `mx1.other.com` even though it does not match any of the +MX patterns defined in the MTA-STS policy since the policy mode is not `enforce`. + + +## Related Configuration Options +- [use_mta_sts](/momentum/4/config/mta-sts/use-mta-sts) +- [enable_mta_sts](/momentum/4/coonfig/mta-sts/enable-mta-sts) From 30f2f6b00e904b74c1ebb214a755d72818159f60 Mon Sep 17 00:00:00 2001 From: Julie Zhao Date: Tue, 7 May 2024 15:18:01 -0400 Subject: [PATCH 02/23] update --- .../momentum/4/config/mta-sts/enable-mta-sts.md | 15 +++++++++++---- content/momentum/4/mta-sts.md | 4 +++- 2 files changed, 14 insertions(+), 5 deletions(-) diff --git a/content/momentum/4/config/mta-sts/enable-mta-sts.md b/content/momentum/4/config/mta-sts/enable-mta-sts.md index 701539ba..f0868648 100644 --- a/content/momentum/4/config/mta-sts/enable-mta-sts.md +++ b/content/momentum/4/config/mta-sts/enable-mta-sts.md @@ -17,11 +17,18 @@ enable_mta_sts — specify whether Momentum should apply MTA-STS policies on out This option is only effective when [use_mta_sts](/momentum/4/config/mta-sts/use-mta-sts) is `true` for a recipient domain. -This option specified whether Momentum try to apply the retrieved MTA-STS policies when sending +This option specified whether Momentum should try to apply the retrieved MTA-STS policies when sending emails to a remote site. See [mta-sts](/momentum/4/mta-sts) for more details. -When this option is `true`, the MTA-STS policy mode will take the preference over the config options - of [TLS](/momentum/4.config/tls) and [TLS_Verify](/momentum/4/config/tls-verify), unless the - MTA-STS policy mode is `none`. +When this option is `true`, the MTA-STS policy mode will be considered along with the configuration + values for [TLS](/momentum/4.config/tls) and [TLS_Verify](/momentum/4/config/tls-verify). + The more strict policy will apply. E.g. When the MTA-STS policy mode is `enforce`, regardless the + values for `TLS` and `TLS_Verify`, Momentum will enforce TLS (equivalent to `TLS = required`) and + will fail the delivery upon a failed certificate validation (equivalent to `TLS_Verify = host`). + When the MTA-STS policy mode is `testing`, Momentum will apply `TLS = ifavailable` (unless + `TLS = required` is specified) and `TLS_Verify = optional` (unless `TLS_Verify = host` is + specified). + When the MTA-STS policy mode is `none`, the configuration values for `TLS` and `TLS_Verify` will be + respected. The default value is `true` when the domain level `use_mta_sts` is `true`. diff --git a/content/momentum/4/mta-sts.md b/content/momentum/4/mta-sts.md index 498a225c..307bafbb 100644 --- a/content/momentum/4/mta-sts.md +++ b/content/momentum/4/mta-sts.md @@ -88,4 +88,6 @@ MX patterns defined in the MTA-STS policy since the policy mode is not `enforce` ## Related Configuration Options - [use_mta_sts](/momentum/4/config/mta-sts/use-mta-sts) -- [enable_mta_sts](/momentum/4/coonfig/mta-sts/enable-mta-sts) +- [enable_mta_sts](/momentum/4/config/mta-sts/enable-mta-sts) +- [mta_sts_dns_cname_max_depth](/momentum/4/config/mta-sts/mta-sts-dns-cname-max-depth) +- [mta_sts_policy_store](/momentum/4/config/mta-sts/mta-sts-policy-store) From b34fc8bee1ad20dd6bec1dfaa0bd5aa92dec5877 Mon Sep 17 00:00:00 2001 From: Julie Zhao Date: Tue, 7 May 2024 21:53:32 -0400 Subject: [PATCH 03/23] update debug_flags for MTA-STS --- content/momentum/4/config/ref-debug-flags.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/content/momentum/4/config/ref-debug-flags.md b/content/momentum/4/config/ref-debug-flags.md index 666d5c73..e4bd253c 100644 --- a/content/momentum/4/config/ref-debug-flags.md +++ b/content/momentum/4/config/ref-debug-flags.md @@ -57,6 +57,7 @@ Use ‘`ALL`’ instead of listing each service debug flag. | LOG1 | LOG1 | | DNS | DNS | | DNS data structures | DNSDS | +| MTA-STS | MTA_STS | | Network | NET | | Signals | SIG | | Memory Management | MEM | @@ -69,4 +70,4 @@ Use ‘`ALL`’ instead of listing each service debug flag. ## Scope -debug_flags is valid in the global scope. \ No newline at end of file +debug_flags is valid in the global scope. From 07da5a2317f4427c334719699c78bffec1174061 Mon Sep 17 00:00:00 2001 From: Julie Zhao Date: Wed, 8 May 2024 10:19:44 -0400 Subject: [PATCH 04/23] minor format --- content/momentum/4/config/mta-sts/enable-mta-sts.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/content/momentum/4/config/mta-sts/enable-mta-sts.md b/content/momentum/4/config/mta-sts/enable-mta-sts.md index f0868648..7dfae5c0 100644 --- a/content/momentum/4/config/mta-sts/enable-mta-sts.md +++ b/content/momentum/4/config/mta-sts/enable-mta-sts.md @@ -19,6 +19,8 @@ This option is only effective when [use_mta_sts](/momentum/4/config/mta-sts/use- for a recipient domain. This option specified whether Momentum should try to apply the retrieved MTA-STS policies when sending emails to a remote site. See [mta-sts](/momentum/4/mta-sts) for more details. + + When this option is `true`, the MTA-STS policy mode will be considered along with the configuration values for [TLS](/momentum/4.config/tls) and [TLS_Verify](/momentum/4/config/tls-verify). The more strict policy will apply. E.g. When the MTA-STS policy mode is `enforce`, regardless the From fd6593995a13a4464db5d2a92de94029c4ed93a9 Mon Sep 17 00:00:00 2001 From: Julie Zhao Date: Wed, 8 May 2024 14:27:31 -0400 Subject: [PATCH 05/23] mta_sts ec_console commands --- .../4/config/mta-sts/enable-mta-sts.md | 6 ++- .../momentum/4/console-commands/mta-sts.md | 53 +++++++++++++++++++ content/momentum/4/mta-sts.md | 6 +++ content/momentum/navigation.yml | 4 +- 4 files changed, 66 insertions(+), 3 deletions(-) create mode 100644 content/momentum/4/console-commands/mta-sts.md diff --git a/content/momentum/4/config/mta-sts/enable-mta-sts.md b/content/momentum/4/config/mta-sts/enable-mta-sts.md index 7dfae5c0..98f3a228 100644 --- a/content/momentum/4/config/mta-sts/enable-mta-sts.md +++ b/content/momentum/4/config/mta-sts/enable-mta-sts.md @@ -18,17 +18,19 @@ enable_mta_sts — specify whether Momentum should apply MTA-STS policies on out This option is only effective when [use_mta_sts](/momentum/4/config/mta-sts/use-mta-sts) is `true` for a recipient domain. This option specified whether Momentum should try to apply the retrieved MTA-STS policies when sending -emails to a remote site. See [mta-sts](/momentum/4/mta-sts) for more details. +emails to a remote site. See [MTA-STS support in Momentum](/momentum/4/mta-sts) for more details. When this option is `true`, the MTA-STS policy mode will be considered along with the configuration - values for [TLS](/momentum/4.config/tls) and [TLS_Verify](/momentum/4/config/tls-verify). + values for [TLS](/momentum/4/config/ref-tls) and [TLS_Verify](/momentum/4/config/tls-verify). The more strict policy will apply. E.g. When the MTA-STS policy mode is `enforce`, regardless the values for `TLS` and `TLS_Verify`, Momentum will enforce TLS (equivalent to `TLS = required`) and will fail the delivery upon a failed certificate validation (equivalent to `TLS_Verify = host`). + When the MTA-STS policy mode is `testing`, Momentum will apply `TLS = ifavailable` (unless `TLS = required` is specified) and `TLS_Verify = optional` (unless `TLS_Verify = host` is specified). + When the MTA-STS policy mode is `none`, the configuration values for `TLS` and `TLS_Verify` will be respected. diff --git a/content/momentum/4/console-commands/mta-sts.md b/content/momentum/4/console-commands/mta-sts.md new file mode 100644 index 00000000..5e6e99d9 --- /dev/null +++ b/content/momentum/4/console-commands/mta-sts.md @@ -0,0 +1,53 @@ +--- +lastUpdated: "06/01/2024" +title: "mta_sts" +description: "mta_sts ec_console commands" +--- + + +## Name + +mta_sts - commands for MTA-STS related data + +## Synopsis + +`mta_sts list all` + +`mta-sts show domain {domain name}` + +`mta-sts refresh policy {domain name}` + +## Description + +**mta_sts list all** list all the active domains which have MTA-STS policies + +``` +15:42:38 /tmp/2025> mta_sts list all +gmail.com +Total domains: 1 +``` + +**mta-sts show domain { domain name }** show MTA-STS TXT record and policy details of a given domain. + The same content will show in [domain](/momentum/4/console-commands/domain) command output also if + available. + + +``` +18:13:43 /tmp/2025> mta_sts show domain gmail.com +Domain 'gmail.com' has MTA-STS TXT and a TTL of 185 seconds + id: 20190429T010101 + max_age: 86400 seconds; refresh in 86375 seconds + mode: enforce + mxlist: + gmail-smtp-in.l.google.com + gmail-smtp-in.l.google.com +``` + +**mta-sts refresh policy {domain name}** force to fetch MTA-STS policy from the HTTPS endpoint for a +given domain + + +``` +18:14:41 /tmp/2025> mta_sts refresh policy gmail.com +MTA-STS policy for gmail.com refreshed. +``` diff --git a/content/momentum/4/mta-sts.md b/content/momentum/4/mta-sts.md index 307bafbb..831f3285 100644 --- a/content/momentum/4/mta-sts.md +++ b/content/momentum/4/mta-sts.md @@ -91,3 +91,9 @@ MX patterns defined in the MTA-STS policy since the policy mode is not `enforce` - [enable_mta_sts](/momentum/4/config/mta-sts/enable-mta-sts) - [mta_sts_dns_cname_max_depth](/momentum/4/config/mta-sts/mta-sts-dns-cname-max-depth) - [mta_sts_policy_store](/momentum/4/config/mta-sts/mta-sts-policy-store) + +## Related [Debug_Flags](/momentum/4/config/ref-debug-flags) +- MTA_STS + +## ec_console commands +- [mta_sts](/momentum/4/console-commands/mta-sts diff --git a/content/momentum/navigation.yml b/content/momentum/navigation.yml index ad8832b8..4340432d 100644 --- a/content/momentum/navigation.yml +++ b/content/momentum/navigation.yml @@ -511,6 +511,8 @@ title: Sending Emails as CC and BCC - link: /momentum/4/complex-template title: Using Complex Templates + - link: /momentum/4/mta-sts + title: MTA-STS support - link: /momentum/4/http-api-stats title: Stats HTTP API items: @@ -2007,4 +2009,4 @@ - link: /momentum/changelog/legacy/message-central title: Message Central Legacy Changelog - link: /momentum/changelog/legacy/message-scope - title: Message Scope Legacy Changelog \ No newline at end of file + title: Message Scope Legacy Changelog From 43de084b754dc80d91eb26d3122e49a23d84a417 Mon Sep 17 00:00:00 2001 From: Julie Zhao Date: Wed, 8 May 2024 16:34:15 -0400 Subject: [PATCH 06/23] more minor changes --- content/momentum/4/config/mta-sts/enable-mta-sts.md | 8 ++++---- content/momentum/4/config/mta-sts/mta-sts-policy-store.md | 6 ++---- content/momentum/4/config/mta-sts/use-mta-sts.md | 4 ++-- content/momentum/4/console-commands/mta-sts.md | 8 ++++---- content/momentum/4/mta-sts.md | 8 ++++---- 5 files changed, 16 insertions(+), 18 deletions(-) diff --git a/content/momentum/4/config/mta-sts/enable-mta-sts.md b/content/momentum/4/config/mta-sts/enable-mta-sts.md index 98f3a228..6d414c38 100644 --- a/content/momentum/4/config/mta-sts/enable-mta-sts.md +++ b/content/momentum/4/config/mta-sts/enable-mta-sts.md @@ -17,7 +17,7 @@ enable_mta_sts — specify whether Momentum should apply MTA-STS policies on out This option is only effective when [use_mta_sts](/momentum/4/config/mta-sts/use-mta-sts) is `true` for a recipient domain. -This option specified whether Momentum should try to apply the retrieved MTA-STS policies when sending +This option specifies whether Momentum should try to apply the retrieved MTA-STS policy when sending emails to a remote site. See [MTA-STS support in Momentum](/momentum/4/mta-sts) for more details. @@ -27,12 +27,12 @@ When this option is `true`, the MTA-STS policy mode will be considered along wit values for `TLS` and `TLS_Verify`, Momentum will enforce TLS (equivalent to `TLS = required`) and will fail the delivery upon a failed certificate validation (equivalent to `TLS_Verify = host`). - When the MTA-STS policy mode is `testing`, Momentum will apply `TLS = ifavailable` (unless +When the MTA-STS policy mode is `testing`, Momentum will apply `TLS = ifavailable` (unless `TLS = required` is specified) and `TLS_Verify = optional` (unless `TLS_Verify = host` is specified). - When the MTA-STS policy mode is `none`, the configuration values for `TLS` and `TLS_Verify` will be - respected. +When the MTA-STS policy mode is `none`, the policy will be ignored and the configuration values for + `TLS` and `TLS_Verify` will be respected. The default value is `true` when the domain level `use_mta_sts` is `true`. diff --git a/content/momentum/4/config/mta-sts/mta-sts-policy-store.md b/content/momentum/4/config/mta-sts/mta-sts-policy-store.md index 662d6d26..3464d11b 100644 --- a/content/momentum/4/config/mta-sts/mta-sts-policy-store.md +++ b/content/momentum/4/config/mta-sts/mta-sts-policy-store.md @@ -7,9 +7,7 @@ description: "the location to store the MTA-STS policy" ## Name -mta_sts_policy_store — specifies how many continous cname lookups are allowed when doing DNS - lookups for MTA-STS TXT record for a domain. Exceeding the configured value will be treated as a DNS - lookup failure, which will be further treated as no MTA-STS policy available. +mta_sts_policy_store — specifies the location to keep the MTA-STS policy details for the domains. ## Synopsis @@ -17,7 +15,7 @@ mta_sts_policy_store — specifies how many continous cname lookups are allowed ## Description -Momentum stores MTA-STS policy for a domain in file on disk, and accesses the HTTPS endpoint to refresh the +Momentum stores MTA-STS policy for a domain in a file on disk, and accesses the HTTPS endpoint to refresh the policy once every 24 hours. This config option specifies the directory where the policies are stored on the disk. diff --git a/content/momentum/4/config/mta-sts/use-mta-sts.md b/content/momentum/4/config/mta-sts/use-mta-sts.md index 7640fd60..e15e91aa 100644 --- a/content/momentum/4/config/mta-sts/use-mta-sts.md +++ b/content/momentum/4/config/mta-sts/use-mta-sts.md @@ -15,8 +15,8 @@ use_mta_sts — specify whether Momentum should do MTA-STS policy fetching for a ## Description -This option specified whether Momentum shall attempt to discover the recipient domain's MTA-STS - policy (via a DNS lookup to retrieve the MTA-STS policy ID and a HTTPS lookup to retrieve the +This option specifies whether Momentum shall attempt to discover the recipient domain's MTA-STS + policy (via a DNS TXT lookup to retrieve the MTA-STS policy ID and a HTTPS lookup to retrieve the MTA-STS policy) The default value is `false`. diff --git a/content/momentum/4/console-commands/mta-sts.md b/content/momentum/4/console-commands/mta-sts.md index 5e6e99d9..e11230a3 100644 --- a/content/momentum/4/console-commands/mta-sts.md +++ b/content/momentum/4/console-commands/mta-sts.md @@ -19,7 +19,7 @@ mta_sts - commands for MTA-STS related data ## Description -**mta_sts list all** list all the active domains which have MTA-STS policies +**mta_sts list all** - lists all the active domains which have MTA-STS policies ``` 15:42:38 /tmp/2025> mta_sts list all @@ -27,7 +27,7 @@ gmail.com Total domains: 1 ``` -**mta-sts show domain { domain name }** show MTA-STS TXT record and policy details of a given domain. +**mta-sts show domain { domain name }** - shows MTA-STS TXT record and policy details of a given domain. The same content will show in [domain](/momentum/4/console-commands/domain) command output also if available. @@ -43,8 +43,8 @@ Domain 'gmail.com' has MTA-STS TXT and a TTL of 185 seconds gmail-smtp-in.l.google.com ``` -**mta-sts refresh policy {domain name}** force to fetch MTA-STS policy from the HTTPS endpoint for a -given domain +**mta-sts refresh policy {domain name}** - forces MTA-STS policy refresh by fetching the policy + from the HTTPS endpoint for a given domain ``` diff --git a/content/momentum/4/mta-sts.md b/content/momentum/4/mta-sts.md index 831f3285..c0e1836b 100644 --- a/content/momentum/4/mta-sts.md +++ b/content/momentum/4/mta-sts.md @@ -18,9 +18,9 @@ domain's MX if and only if the following conditions are satisfied: policy - connection to remote site can be encrypted (via the use of STARTTLS) - Momentum can authenticate both - the certificate chain presented by the server on the connection - and server name in the certificate + and the server name in the certificate -For verifying certificates, Momentum use the configured CA for outbound email defined by +For verifying certificates, Momentum uses the configured CA for outbound email defined by [TLS_CA](/momentum/4/config/tls-ca). Momentum does not currently check for certificate revocation via the Online Certificate Status Protocol (RFC 6960). @@ -31,7 +31,7 @@ refresh the cached policy once every 24 hours. Momentum does not currently implement SMTP TLS Reporting (RFC 8460). The examples below illustrate a few cases describing how Momentum implements MTA-STS. -For all examples the recipient domain would be domain.com. +For all examples the recipient domain would be `domain.com`. ### Example 1: Recipient domain enforces MTA-STS and MX is allowed as per the MTA-STS policy @@ -96,4 +96,4 @@ MX patterns defined in the MTA-STS policy since the policy mode is not `enforce` - MTA_STS ## ec_console commands -- [mta_sts](/momentum/4/console-commands/mta-sts +- [mta_sts](/momentum/4/console-commands/mta-sts) From 0b767dcc28c8f2e7a8d64bed881d6fc023376ec8 Mon Sep 17 00:00:00 2001 From: Julie Zhao Date: Thu, 9 May 2024 15:19:12 -0400 Subject: [PATCH 07/23] minor update --- content/momentum/4/console-commands/mta-sts.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/momentum/4/console-commands/mta-sts.md b/content/momentum/4/console-commands/mta-sts.md index e11230a3..349d9ad8 100644 --- a/content/momentum/4/console-commands/mta-sts.md +++ b/content/momentum/4/console-commands/mta-sts.md @@ -40,7 +40,7 @@ Domain 'gmail.com' has MTA-STS TXT and a TTL of 185 seconds mode: enforce mxlist: gmail-smtp-in.l.google.com - gmail-smtp-in.l.google.com + *.gmail-smtp-in.l.google.com ``` **mta-sts refresh policy {domain name}** - forces MTA-STS policy refresh by fetching the policy From 68aac62a0a19a6c409b55376de95da6cead58bed Mon Sep 17 00:00:00 2001 From: Julie Zhao Date: Thu, 9 May 2024 15:22:00 -0400 Subject: [PATCH 08/23] minor update --- content/momentum/4/console-commands/mta-sts.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/momentum/4/console-commands/mta-sts.md b/content/momentum/4/console-commands/mta-sts.md index 349d9ad8..1246cdc7 100644 --- a/content/momentum/4/console-commands/mta-sts.md +++ b/content/momentum/4/console-commands/mta-sts.md @@ -28,7 +28,7 @@ Total domains: 1 ``` **mta-sts show domain { domain name }** - shows MTA-STS TXT record and policy details of a given domain. - The same content will show in [domain](/momentum/4/console-commands/domain) command output also if + The same content will be shown in [domain](/momentum/4/console-commands/domain) command output also if available. From 57d115d0396e20662d6eddd8881fa68801a94bd3 Mon Sep 17 00:00:00 2001 From: Julie Zhao Date: Tue, 14 May 2024 08:56:02 -0400 Subject: [PATCH 09/23] add mta-sts config options and control commands into summaries --- content/momentum/4/4-console-commands.md | 5 ++++- content/momentum/4/config-options-summary.md | 4 ++++ content/momentum/4/config/index.md | 4 ++++ content/momentum/4/console-commands/index.md | 4 +++- 4 files changed, 15 insertions(+), 2 deletions(-) diff --git a/content/momentum/4/4-console-commands.md b/content/momentum/4/4-console-commands.md index 3570e8fd..4136666f 100644 --- a/content/momentum/4/4-console-commands.md +++ b/content/momentum/4/4-console-commands.md @@ -118,6 +118,9 @@ This table lists all console commands alphabetically giving a brief description. | [message retry](/momentum/4/console-commands/message-retry) – Perform an immediate delivery attempt on a message | 4.0 |   | message | | [module hooks](/momentum/4/console-commands/4-module) – Manage loaded module hooks | 4.0 |   | module | | [module list](/momentum/4/console-commands/4-module) – Show loaded modules | 4.0 |   | module | +| [mta_sts list all](/momentum/4/console-commands/mta-sts) – list active domains which have MTA-STS policy | 4.8 |   | mta-sts | +| [mta_sts show domain](/momentum/4/console-commands/mta-sts) – show MTA-STS policy details for a domain | 4.8 |   | mta-sts | +| [mta_sts refresh policy](/momentum/4/console-commands/mta-sts) – refresh MTA-STS policy for a domain | 4.8 |   | mta-sts | | [outbound_audit:instance_name clear all](/momentum/4/modules/outbound-audit#modules.outbound_audit.console) – Zero-out all statistics | 4.0 | outbound_audit | module | | [outbound_audit:instance_name clear domain](/momentum/4/modules/outbound-audit#modules.outbound_audit.console) – Zero-out a domain's statistics | 4.0 | outbound_audit | module | | [outbound_audit:instance_name domain_list](/momentum/4/modules/outbound-audit#modules.outbound_audit.console) – Runtime addition/deletion of a domain in the monitoring list | 4.0 | outbound_audit | module | @@ -160,4 +163,4 @@ This table lists all console commands alphabetically giving a brief description. | [trace smtp remove](/momentum/4/console-commands/trace-smtp) – Remove an SMTP trace | 4.0 |   | misc | | [unlink stats](/momentum/4/console-commands/unlink-stats) – Show statistics of removing messages from the disk | 4.0 |   | stats | | [version](/momentum/4/console-commands/version) – Show version information of Momentum | 4.0 |   | misc | -| [write config](/momentum/4/console-commands/write-config) – Display current running configuration | 4.0 |   | config | \ No newline at end of file +| [write config](/momentum/4/console-commands/write-config) – Display current running configuration | 4.0 |   | config | diff --git a/content/momentum/4/config-options-summary.md b/content/momentum/4/config-options-summary.md index cca6110c..7f3f5293 100644 --- a/content/momentum/4/config-options-summary.md +++ b/content/momentum/4/config-options-summary.md @@ -149,6 +149,7 @@ The `Version` column indicated the version(s) of Momentum that support the optio | [enable_authorization](/momentum/4/control-authz) – Whether or not to enable authorization for console commands | receiving |   | 4.0 and later | control_listener, listen, peer | | [enable_duravip](/momentum/4/4-cluster-config-duravip) – Whether to enable Durable MultiVIP© bindings (cluster-specific) | both |   | 4.0 and later | binding, listen | | [enable_fbl_header_insertion](/momentum/4/config/ref-enable-fbl-header-insertion) – Enable or disable fbl header insertion | sending |   | 4.0 and later | binding, binding_group, domain, global | +| [enable_mta_sts](/momentum/4/config/mta-sts/enable_mta_sts) – Enable or disable MTA-STS policy application | sending |   | 4.8 and later | binding, binding_group, domain, global | | **enabled** – Whether or not the module is enabled (cluster-specific) | na | true | 4.0 and later | cluster | | [error](/momentum/4/config/ref-debug-flags) – Set the debug level | na | ALL | 4.0 and later | debug_flags | | [esmtp_listener](/momentum/4/esmtp-listener) *(scope)* – Listener for incoming SMTP connections | receiving |   | 4.0 and later | global | @@ -237,6 +238,8 @@ The `Version` column indicated the version(s) of Momentum that support the optio | [max_resident_active_queue](/momentum/4/config/ref-max-resident-active-queue) – Threshold above which messages are not held in memory | sending | 250 | 4.0 and later | binding, binding_group, domain, global | | [max_resident_messages](/momentum/4/config/ref-max-resident-messages) – Threshold above which messages are not held in memory | sending | 32768 | 4.0 and later | binding, binding_group, global | | [max_resident_transfails](/momentum/4/config/ref-max-resident-transfails) – If the transient failure queue grows beyond this size, messages are swapped out of memory | sending | 100 | 4.0 and later | global | +| [mta_sts_dns_cname_max_depth](/momentum/4/config/mta-sts/mta-sts-dns-cname-max-depth) – Maximum number of continous CNAME lookups allowed while doing MTA-STS DNS lookup | sending | 5 | 4.8 and later | global | +| [mta_sts_policy_store](/momentum/4/config/mta-sts/mta-sts-policy-store) – Directory to store MTA-STS policy files | sending | /var/spool/ecelerity/mtasts (*non-dynamic*) | 4.8 and later | global | | [swap_out_meta_after_each_tempfail](/momentum/4/config/ref-swap-out-meta-after-each-tempfail) – If this is set to false, Momentum will only update metadata on disk after each tempfail if the message context is dirty, and the num_retires, next_attempt and message context may not be accurate if Momentum crashes | sending | true | 4.3.1 and later | global | | [max_retries](/momentum/4/config/ref-max-retries) – Override the system configured max_retries | sending |   | 4.0 and later | binding, binding_group, domain, global | | [max_retry_interval](/momentum/4/config/ref-max-retry-interval) – Maximum retry interval | sending | 43200 | 4.0 and later | binding, binding_group, domain, global | @@ -365,6 +368,7 @@ The `Version` column indicated the version(s) of Momentum that support the optio | [use_iflist_cache](/momentum/4/config/ref-use-iflist-cache) – Whether or not to cache the list of interfaces configured by the system | sending | 0 (*non-dynamic*) | 4.0 and later | global | | [use_ipv6](/momentum/4/config/ref-use-ipv-6) – Affects the selection of IPv6 hosts in the SMTP client | sending | false | 4.0 and later | global | | [use_mmap](/momentum/4/config/ref-use-mmap) – Use mmap when spooling messages from disk | na | false | 4.0 and later | global | +| [use_mta_sts](/momentum/4/config/mta-sts/use-mta-sts) – Enable MTA-STS policy fetching on a domain | sending | false | 4.8 and later | global, domain | | [use_sendfile](/momentum/4/config/ref-use-sendfile) – Use sendfile() when sending mail | sending | false | 4.0 and later | global | | **use_ssl** – Whether or not to use SSL verification | receiving | false | 4.0 and later | ecstream_listener, esmtp_listener, http_listener, listen, pathway, pathway_group, peer | | [user](/momentum/4/config/ref-user) – User identity to assume after startup | na | ecuser (*non-dynamic*) | 4.0 and later | security | diff --git a/content/momentum/4/config/index.md b/content/momentum/4/config/index.md index 5f820d16..b2d056c2 100644 --- a/content/momentum/4/config/index.md +++ b/content/momentum/4/config/index.md @@ -76,6 +76,7 @@ description: "This chapter provides the definitions of the configuration options | [ehlo_hostname](/momentum/4/config/ref-ehlo-hostname) | set the hostname used for EHLO in outbound mail | | [ehlo_timeout](/momentum/4/config/ref-ehlo-timeout) | network timeout for EHLO | | [enable_fbl_header_insertion](/momentum/4/config/ref-enable-fbl-header-insertion) | enable or disable fbl header insertion | +| [enable_mta_sts](/momentum/4/config/mta-sts/enable-mta-sts) | enable application of MTA-STS policy on email delivery to a remote domain | | [event_loop](/momentum/4/config/ref-event-loop) | associate a pool of event loops within a listener scope to use multiple threads | | [eventloop](/momentum/4/config/ref-eventloop) | define a pool of event loops to enable multiple event loop configuration | | [events_per_iter](/momentum/4/config/ref-events-per-iter) | employ when using a concurrency greater than 1. | @@ -136,6 +137,8 @@ description: "This chapter provides the definitions of the configuration options | [migrate_connections_between_sibling_domains](/momentum/4/config/ref-migrate-connections-between-sibling-domains) | optimize connections for sibling domains | | [mime_parse_large_messages_during_reception](/momentum/4/config/ref-mime-parse-large-messages-during-reception) | configure whether large messages are parsed upon reception or just in time. | | [min_dns_ttl](/momentum/4/config/ref-min-dns-ttl) | override DNS TTLs smaller than this value | +| [mta_sts_dns_cname_max_depth](/momentum/4/config/mta-sts/mta-sts-dns-cname-max-depth) | the maximum number of continuous CNAME lookups while doing MTA-STS DNS TXT lookup | +| [mta_sts_policy_store](/momentum/4/config/mta-sts/mta-sts-policy-store) | the directory to store MTA-STS policy files | | [mx_failures_fallback_to_a](/momentum/4/config/ref-mx-failures-fallback-to-a) | configure the maximum number of times an MX lookup will be attempted | | [mx_failures_to_delay](/momentum/4/config/ref-mx-failures-to-delay) | number of consecutive failures before a domain is auto-delayed | | [never_attempt_expired_messages](/momentum/4/config/ref-never-attempt-expired-messages) | Never attempt delivery of expired messages | @@ -227,6 +230,7 @@ description: "This chapter provides the definitions of the configuration options | [use_iflist_cache](/momentum/4/config/ref-use-iflist-cache) | Whether or not to cache the list of network interfaces configured by the system | | [use_ipv6](/momentum/4/config/ref-use-ipv-6) | Affects the selection of IPv6 hosts in the SMTP client | | [use_mmap](/momentum/4/config/ref-use-mmap) | use mmap when spooling messages from disk | +| [use_mta_sts](/momentum/4/config/mta-sts/use-mta-sts) | fetch MTA-STS policy for a domain | | [use_sendfile](/momentum/4/config/ref-use-sendfile) | use sendfile() when sending mail | | [user](/momentum/4/config/ref-user) | security: user identity to assume after startup | | [xclient](/momentum/4/config/ref-xclient) | use the xclient extension to SMTP for outbound mail | diff --git a/content/momentum/4/console-commands/index.md b/content/momentum/4/console-commands/index.md index d9219f1c..e7aac765 100644 --- a/content/momentum/4/console-commands/index.md +++ b/content/momentum/4/console-commands/index.md @@ -1,5 +1,5 @@ --- -lastUpdated: "02/09/2021" +lastUpdated: "06/01/2024" title: "Category File" type: "custom" name: "Non-Module-Specific Console Commands" @@ -44,6 +44,8 @@ description: "This section documents all the non module specific console command | [message fail quiet](/momentum/4/console-commands/message-fail-quiet) | fail a message and do not create a non-delivery receipt (NDR) | | [message retry](/momentum/4/console-commands/message-retry) | perform an immediate delivery attempt on a message | | [module](/momentum/4/console-commands/4-module) | manage loaded modules online | +| [mta_sts](/momentum/4/console-commands/mta_sts) | commands to display and manage MTA-STS policy for a domain | +| [\pager](/momentum/4/console-commands/pager) | Page output of long console commands in the console. | | [\pager](/momentum/4/console-commands/pager) | Page output of long console commands in the console. | | [paniclog](/momentum/4/console-commands/paniclog) | show last several entries written to paniclog | | [pid](/momentum/4/console-commands/pid) | show process id of Momentum | From ea735d43df27ce3a3ffb37e7030db2f8be017085 Mon Sep 17 00:00:00 2001 From: Julie Zhao Date: Tue, 14 May 2024 10:27:20 -0400 Subject: [PATCH 10/23] review comments --- content/momentum/4/config-options-summary.md | 2 +- .../4/config/mta-sts/enable-mta-sts.md | 6 ++--- .../momentum/4/config/mta-sts/use-mta-sts.md | 2 +- content/momentum/4/mta-sts.md | 27 ++++++++++--------- 4 files changed, 19 insertions(+), 18 deletions(-) diff --git a/content/momentum/4/config-options-summary.md b/content/momentum/4/config-options-summary.md index 7f3f5293..33915dcb 100644 --- a/content/momentum/4/config-options-summary.md +++ b/content/momentum/4/config-options-summary.md @@ -149,7 +149,7 @@ The `Version` column indicated the version(s) of Momentum that support the optio | [enable_authorization](/momentum/4/control-authz) – Whether or not to enable authorization for console commands | receiving |   | 4.0 and later | control_listener, listen, peer | | [enable_duravip](/momentum/4/4-cluster-config-duravip) – Whether to enable Durable MultiVIP© bindings (cluster-specific) | both |   | 4.0 and later | binding, listen | | [enable_fbl_header_insertion](/momentum/4/config/ref-enable-fbl-header-insertion) – Enable or disable fbl header insertion | sending |   | 4.0 and later | binding, binding_group, domain, global | -| [enable_mta_sts](/momentum/4/config/mta-sts/enable_mta_sts) – Enable or disable MTA-STS policy application | sending |   | 4.8 and later | binding, binding_group, domain, global | +| [enable_mta_sts](/momentum/4/config/mta-sts/enable-mta-sts) – Enable or disable MTA-STS policy application | sending |   | 4.8 and later | binding, binding_group, domain, global | | **enabled** – Whether or not the module is enabled (cluster-specific) | na | true | 4.0 and later | cluster | | [error](/momentum/4/config/ref-debug-flags) – Set the debug level | na | ALL | 4.0 and later | debug_flags | | [esmtp_listener](/momentum/4/esmtp-listener) *(scope)* – Listener for incoming SMTP connections | receiving |   | 4.0 and later | global | diff --git a/content/momentum/4/config/mta-sts/enable-mta-sts.md b/content/momentum/4/config/mta-sts/enable-mta-sts.md index 6d414c38..a87ba59c 100644 --- a/content/momentum/4/config/mta-sts/enable-mta-sts.md +++ b/content/momentum/4/config/mta-sts/enable-mta-sts.md @@ -7,7 +7,7 @@ description: "config option to enable MTA-STS policy application for outbound ma ## Name -enable_mta_sts — specify whether Momentum should apply MTA-STS policies on outbound email sending +enable_mta_sts — specify whether Momentum should apply MTA-STS policies for outbound emails ## Synopsis @@ -23,7 +23,7 @@ emails to a remote site. See [MTA-STS support in Momentum](/momentum/4/mta-sts) When this option is `true`, the MTA-STS policy mode will be considered along with the configuration values for [TLS](/momentum/4/config/ref-tls) and [TLS_Verify](/momentum/4/config/tls-verify). - The more strict policy will apply. E.g. When the MTA-STS policy mode is `enforce`, regardless the + The more strict policy will apply. E.g. When the MTA-STS policy mode is `enforce`, regardless of the values for `TLS` and `TLS_Verify`, Momentum will enforce TLS (equivalent to `TLS = required`) and will fail the delivery upon a failed certificate validation (equivalent to `TLS_Verify = host`). @@ -34,7 +34,7 @@ When the MTA-STS policy mode is `testing`, Momentum will apply `TLS = ifavailabl When the MTA-STS policy mode is `none`, the policy will be ignored and the configuration values for `TLS` and `TLS_Verify` will be respected. -The default value is `true` when the domain level `use_mta_sts` is `true`. +The default value is `true` when `use_mta_sts` is `true` for a domain. ## Scope diff --git a/content/momentum/4/config/mta-sts/use-mta-sts.md b/content/momentum/4/config/mta-sts/use-mta-sts.md index e15e91aa..4b658c20 100644 --- a/content/momentum/4/config/mta-sts/use-mta-sts.md +++ b/content/momentum/4/config/mta-sts/use-mta-sts.md @@ -7,7 +7,7 @@ description: "config option to enable MTA-STS policy fetching for a domain" ## Name -use_mta_sts — specify whether Momentum should do MTA-STS policy fetching for a domain or not +use_mta_sts — specify whether Momentum should do MTA-STS policy fetching for a domain ## Synopsis diff --git a/content/momentum/4/mta-sts.md b/content/momentum/4/mta-sts.md index c0e1836b..0fcbad53 100644 --- a/content/momentum/4/mta-sts.md +++ b/content/momentum/4/mta-sts.md @@ -1,19 +1,21 @@ --- lastUpdated: "06/01/2024" -title: "MTA-STS support in Momentum" -description: "MTA-STS support in Momentum" +title: "MTA-STS support" +description: "MTA-STS support" --- MTA-STS (MTA Strict Transport Security) improves email security by requiring authentication checks and encryption for delivering email. RFC 8461 describes the use of MTA-STS for improving -SMTP security between MTAs. +SMTP security between MTAs. Momentum starts to support MTA-STS in 4.8. -If the per-domain config option [use_mta_sts](/momentum/4/config/mta-sts/use-mta-sts) is set to `true`, +If the config option [use_mta_sts](/momentum/4/config/mta-sts/use-mta-sts) for a domain is set to `true`, Momentum will attempt to discover the recipient domain's MTA-STS policy (via a DNS lookup to retrieve the MTA-STS policy ID and a HTTPS lookup to retrieve the - MTA-STS policy) and use it for validating the connection to the remote site. + MTA-STS policy), and if the [enable_mta_sts](/momentum/4/config/mta-sts/enable-mta-sts) + for the binding/domain is `true`, Momentum will apply the MTA-STS policy for validating + the connection to the remote site. If the recipient domain enforces MTA-STS, Momentum delivers email to the remote -domain's MX if and only if the following conditions are satisfied: + domain's MX if and only if the following conditions are satisfied: - remote site matches at least one of the MX patterns defined in the recipient domain's MTA-STS policy - connection to remote site can be encrypted (via the use of STARTTLS) @@ -35,7 +37,7 @@ For all examples the recipient domain would be `domain.com`. ### Example 1: Recipient domain enforces MTA-STS and MX is allowed as per the MTA-STS policy -> **MTA-STS policy retrieved from https://mta-sts.domain.com/.well-known/mta-sts.txt** +> **MTA-STS policy retrieved from `https://mta-sts.domain.com/.well-known/mta-sts.txt`** ``` version: STSv1 mode: enforce @@ -52,7 +54,7 @@ MX patterns defined in the MTA-STS policy. ### Example 2: Recipient domain enforces MTA-STS and MX is not allowed as per the MTA-STS policy -> **MTA-STS policy retrieved from https://mta-sts.domain.com/.well-known/mta-sts.txt** +> **MTA-STS policy retrieved from `https://mta-sts.domain.com/.well-known/mta-sts.txt`** ``` version: STSv1 mode: enforce @@ -70,7 +72,7 @@ MX patterns defined in the MTA-STS policy. ### Example 3: Recipient domain does not enforce MTA-STS and MX is not allowed as per the MTA-STS policy -> **MTA-STS policy retrieved from https://mta-sts.domain.com/.well-known/mta-sts.txt** +> **MTA-STS policy retrieved from `https://mta-sts.domain.com/.well-known/mta-sts.txt`** ``` version: STSv1 mode: testing @@ -87,13 +89,12 @@ MX patterns defined in the MTA-STS policy since the policy mode is not `enforce` ## Related Configuration Options -- [use_mta_sts](/momentum/4/config/mta-sts/use-mta-sts) -- [enable_mta_sts](/momentum/4/config/mta-sts/enable-mta-sts) -- [mta_sts_dns_cname_max_depth](/momentum/4/config/mta-sts/mta-sts-dns-cname-max-depth) -- [mta_sts_policy_store](/momentum/4/config/mta-sts/mta-sts-policy-store) +- [MTA-STS configuration Options](/momentum/4/config/mta-sts) + ## Related [Debug_Flags](/momentum/4/config/ref-debug-flags) - MTA_STS + ## ec_console commands - [mta_sts](/momentum/4/console-commands/mta-sts) From 25360eb9e28352c51b5e5af77d22299d629d7e6d Mon Sep 17 00:00:00 2001 From: Julie Zhao Date: Tue, 14 May 2024 13:04:15 -0400 Subject: [PATCH 11/23] link to mta-sts config options --- content/momentum/4/config/ref-debug-flags.md | 14 ++++++++++++-- content/momentum/4/console-commands/index.md | 1 - content/momentum/4/mta-sts.md | 2 +- 3 files changed, 13 insertions(+), 4 deletions(-) diff --git a/content/momentum/4/config/ref-debug-flags.md b/content/momentum/4/config/ref-debug-flags.md index e4bd253c..3bcd7852 100644 --- a/content/momentum/4/config/ref-debug-flags.md +++ b/content/momentum/4/config/ref-debug-flags.md @@ -28,11 +28,21 @@ Debug_Flags { CRITICAL = (TIME FD SMTP LOG1 DNS DNSDS NET SIG MEM DB LIC SSL MOD START ALL) } ``` - ### Note - Use ‘`ALL`’ instead of listing each service debug flag. + +The example below enables more (at `WARNING` level) MTA-STS and SSL related logging, along with default +`ERROR` and `CRITICAL` loggings: +``` +Debug_Flags { + WARNING = (MTA_STS SSL) + ERROR = (ALL) + CRITICAL = (ALL) +} +``` + + diff --git a/content/momentum/4/console-commands/index.md b/content/momentum/4/console-commands/index.md index e7aac765..1eb37278 100644 --- a/content/momentum/4/console-commands/index.md +++ b/content/momentum/4/console-commands/index.md @@ -46,7 +46,6 @@ description: "This section documents all the non module specific console command | [module](/momentum/4/console-commands/4-module) | manage loaded modules online | | [mta_sts](/momentum/4/console-commands/mta_sts) | commands to display and manage MTA-STS policy for a domain | | [\pager](/momentum/4/console-commands/pager) | Page output of long console commands in the console. | -| [\pager](/momentum/4/console-commands/pager) | Page output of long console commands in the console. | | [paniclog](/momentum/4/console-commands/paniclog) | show last several entries written to paniclog | | [pid](/momentum/4/console-commands/pid) | show process id of Momentum | | [rebind](/momentum/4/console-commands/rebind) | rebind the messages in a binding or domain | diff --git a/content/momentum/4/mta-sts.md b/content/momentum/4/mta-sts.md index 0fcbad53..c88746c4 100644 --- a/content/momentum/4/mta-sts.md +++ b/content/momentum/4/mta-sts.md @@ -89,7 +89,7 @@ MX patterns defined in the MTA-STS policy since the policy mode is not `enforce` ## Related Configuration Options -- [MTA-STS configuration Options](/momentum/4/config/mta-sts) +- [MTA-STS configuration Options](/momentum/4/config/mta-sts/index) ## Related [Debug_Flags](/momentum/4/config/ref-debug-flags) From d4fcc7838b1d174438bc7552870db80cca0a1d4f Mon Sep 17 00:00:00 2001 From: Julie Zhao Date: Tue, 14 May 2024 13:30:23 -0400 Subject: [PATCH 12/23] add new file --- content/momentum/4/config/mta-sts/index.md | 14 ++++++++++++++ 1 file changed, 14 insertions(+) create mode 100644 content/momentum/4/config/mta-sts/index.md diff --git a/content/momentum/4/config/mta-sts/index.md b/content/momentum/4/config/mta-sts/index.md new file mode 100644 index 00000000..391faeb2 --- /dev/null +++ b/content/momentum/4/config/mta-sts/index.md @@ -0,0 +1,14 @@ +--- +lastUpdated: "06/01/2024" +title: "Category File" +type: "custom" +name: "MTA-STS Configuration Options Reference" +description: "MTA-STS configuration Options index" +--- + +- [use_mta_sts](/momentum/4/config/mta-sts/use-mta-sts) +- [enable_mta_sts](/momentum/4/config/mta-sts/enable-mta-sts) +- [mta_sts_dns_cname_max_depth](/momentum/4/config/mta-sts/mta-sts-dns-cname-max-depth) +- [mta_sts_policy_store](/momentum/4/config/mta-sts/mta-sts-policy-store) + + From e3f70ddb0bb6bc1a15a37f4061e62650a02a91d2 Mon Sep 17 00:00:00 2001 From: Julie Zhao Date: Tue, 14 May 2024 14:04:12 -0400 Subject: [PATCH 13/23] update link --- content/momentum/4/mta-sts.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/momentum/4/mta-sts.md b/content/momentum/4/mta-sts.md index c88746c4..0fcbad53 100644 --- a/content/momentum/4/mta-sts.md +++ b/content/momentum/4/mta-sts.md @@ -89,7 +89,7 @@ MX patterns defined in the MTA-STS policy since the policy mode is not `enforce` ## Related Configuration Options -- [MTA-STS configuration Options](/momentum/4/config/mta-sts/index) +- [MTA-STS configuration Options](/momentum/4/config/mta-sts) ## Related [Debug_Flags](/momentum/4/config/ref-debug-flags) From eded13d55eaf7b358f01a8c37255298a912f21bc Mon Sep 17 00:00:00 2001 From: Kris Kelley Date: Fri, 14 Jun 2024 09:51:00 -0400 Subject: [PATCH 14/23] EOP-155 ec_mta_sts_purge utility --- content/momentum/4/4-exe.md | 3 +- .../momentum/4/executable/ec-mta-sts-purge.md | 56 +++++++++++++++++++ content/momentum/4/executable/index.md | 1 + 3 files changed, 59 insertions(+), 1 deletion(-) create mode 100644 content/momentum/4/executable/ec-mta-sts-purge.md diff --git a/content/momentum/4/4-exe.md b/content/momentum/4/4-exe.md index ae4798de..0762ddde 100644 --- a/content/momentum/4/4-exe.md +++ b/content/momentum/4/4-exe.md @@ -22,7 +22,8 @@ This table lists all executable commands alphabetically giving a brief descripti | [ec_lic](/momentum/4/executable/ec-lic) – Fetch a new license file from Message Systems | misc | | [ec_log_trace](/momentum/4/executable/ec-log-trace) – Parse Momentum log files | logs | | [ec_md5passwd](/momentum/4/executable/ec-md-5-passwd) – Change the password for a system user's password | security | -| [ec_rotate](/momentum/4/executable/ec-rotate) – Rotate Momentum logfiles | logs | +| [ec_mta_sts_purge](/momentum/4/executable/ec-mta-sts-purge) - remove expired MTA-STS policy files | +| [ec_rotate](/momentum/4/executable/ec-rotate) – Rotate Momentum logfiles | misc | | [ec_sendmail](/momentum/4/executable/ec-sendmail) – A sendmail compatibility interface | misc | | [ec_show](/momentum/4/executable/ec-show) – Show spool or message information | messages | | [eccfg](/momentum/4/executable/eccfg) – Subversion repository management | config | diff --git a/content/momentum/4/executable/ec-mta-sts-purge.md b/content/momentum/4/executable/ec-mta-sts-purge.md new file mode 100644 index 00000000..167fc1c2 --- /dev/null +++ b/content/momentum/4/executable/ec-mta-sts-purge.md @@ -0,0 +1,56 @@ +--- +lastUpdated: "03/26/2020" +title: "ec_mta_sts_purge" +description: "ec mta_sts_purge Remove expired MTA-STS policies from the file system" +--- + + +## Name + +ec_mta_sts_purge — Remove expired MTA-STS policies from the file system + +## Synopsis + +`/opt/msys/ecelerity/bin/ec_mta_sts_purge` [ -dir *`directory`* ] + +`/opt/msys/ecelerity/bin/ec_mta_sts_purge` [ -dryrun ] + +`/opt/msys/ecelerity/bin/ec_mta_sts_purge` [ -v | -verbose ] + +## Description + +The **ec_mta_sts_purge** command is a utility script used to remove expired MTA-STS policies from the file system. + +Momentum caches MTA-STS policies on the file system. This is to reduce how often Momentum needs to fetch the policies using HTTP. This also prevents a large number of fetches on a restart. These policies will normally get updated regularly, but if a domain is not used for a long time, this command can be used to delete the expired policy file for this domain from the file system. + +### Note + +The **ec_mta_sts_purge** script will by default delete files in the default location. If you have specified a different location via `mta_sts_policy_store`, the `-dir` option must be used. + +The following options change the behavor of the **ec_mta_sts_purge** command: + +
+ +
-dir *`directory`*
+ +
+ +Specify the full path to the directory where the policy files are stored. Default is '/var/spool/ecelerity/mtasts'. + +
+ +
-dryrun
+ +
+ +If this option is specified, the script will just print files that would be deleted. + +
+ +
+ +The following is an example: + +``` +/opt/msys/ecelerity/bin/ec_mta_sts_purge -dryrun -dir /path/to/policy/files +``` diff --git a/content/momentum/4/executable/index.md b/content/momentum/4/executable/index.md index 0f5f944b..490c9186 100644 --- a/content/momentum/4/executable/index.md +++ b/content/momentum/4/executable/index.md @@ -20,6 +20,7 @@ description: "Table of Contents ad summary summarize the adaptive module actions | [ec_lic](/momentum/4/executable/ec-lic) | fetch a new license file from Message Systems | | [ec_log_trace](/momentum/4/executable/ec-log-trace) | parse Momentum log files | | [ec_md5passwd](/momentum/4/executable/ec-md-5-passwd) | changes the password for a system user's password | +| [ec_mta_sts_purge](/momentum/4/executable/ec-mta-sts-purge.md) | remove expired MTA-STS policy files | | [ec_rotate](/momentum/4/executable/ec-rotate) | rotate Momentum logfiles | | [ec_sendmail](/momentum/4/executable/ec-sendmail) | a sendmail compatibility interface | | [ec_show](/momentum/4/executable/ec-show) | show spool or message information | From 6ed7d5ce2be476b50d69604624b870abd0977e04 Mon Sep 17 00:00:00 2001 From: Kris Kelley Date: Fri, 14 Jun 2024 10:15:37 -0400 Subject: [PATCH 15/23] tweaks --- content/momentum/4/4-exe.md | 2 +- content/momentum/4/executable/ec-mta-sts-purge.md | 10 +++++----- content/momentum/4/executable/index.md | 2 +- 3 files changed, 7 insertions(+), 7 deletions(-) diff --git a/content/momentum/4/4-exe.md b/content/momentum/4/4-exe.md index 0762ddde..172e6d43 100644 --- a/content/momentum/4/4-exe.md +++ b/content/momentum/4/4-exe.md @@ -22,7 +22,7 @@ This table lists all executable commands alphabetically giving a brief descripti | [ec_lic](/momentum/4/executable/ec-lic) – Fetch a new license file from Message Systems | misc | | [ec_log_trace](/momentum/4/executable/ec-log-trace) – Parse Momentum log files | logs | | [ec_md5passwd](/momentum/4/executable/ec-md-5-passwd) – Change the password for a system user's password | security | -| [ec_mta_sts_purge](/momentum/4/executable/ec-mta-sts-purge) - remove expired MTA-STS policy files | +| [ec_mta_sts_purge](/momentum/4/executable/ec-mta-sts-purge) - remove expired MTA-STS policy files | misc | | [ec_rotate](/momentum/4/executable/ec-rotate) – Rotate Momentum logfiles | misc | | [ec_sendmail](/momentum/4/executable/ec-sendmail) – A sendmail compatibility interface | misc | | [ec_show](/momentum/4/executable/ec-show) – Show spool or message information | messages | diff --git a/content/momentum/4/executable/ec-mta-sts-purge.md b/content/momentum/4/executable/ec-mta-sts-purge.md index 167fc1c2..c3e40b7f 100644 --- a/content/momentum/4/executable/ec-mta-sts-purge.md +++ b/content/momentum/4/executable/ec-mta-sts-purge.md @@ -21,11 +21,11 @@ ec_mta_sts_purge — Remove expired MTA-STS policies from the file system The **ec_mta_sts_purge** command is a utility script used to remove expired MTA-STS policies from the file system. -Momentum caches MTA-STS policies on the file system. This is to reduce how often Momentum needs to fetch the policies using HTTP. This also prevents a large number of fetches on a restart. These policies will normally get updated regularly, but if a domain is not used for a long time, this command can be used to delete the expired policy file for this domain from the file system. +Momentum caches MTA-STS policies on the file system. This is to reduce how often Momentum needs to fetch the policies using HTTP. This also prevents a large number of fetches on a restart. These policies will normally get updated regularly, but if some domains have not been used for a long time, this command can be used to delete the expired policy files for these domains from the file system. ### Note -The **ec_mta_sts_purge** script will by default delete files in the default location. If you have specified a different location via `mta_sts_policy_store`, the `-dir` option must be used. +The **ec_mta_sts_purge** script will delete files in the default location. If you have specified a different location via `mta_sts_policy_store`, the `-dir` option must be used. The following options change the behavor of the **ec_mta_sts_purge** command: @@ -35,7 +35,7 @@ The following options change the behavor of the **ec_mta_sts_purge** command:
-Specify the full path to the directory where the policy files are stored. Default is '/var/spool/ecelerity/mtasts'. +Specify the full path to the directory where the policy files are stored. Default is `/var/spool/ecelerity/mtasts`.
@@ -43,7 +43,7 @@ Specify the full path to the directory where the policy files are stored. Defaul
-If this option is specified, the script will just print files that would be deleted. +If this option is specified, the script will just list the files that would be deleted.
@@ -51,6 +51,6 @@ If this option is specified, the script will just print files that would be dele The following is an example: -``` +```sh /opt/msys/ecelerity/bin/ec_mta_sts_purge -dryrun -dir /path/to/policy/files ``` diff --git a/content/momentum/4/executable/index.md b/content/momentum/4/executable/index.md index 490c9186..701ad620 100644 --- a/content/momentum/4/executable/index.md +++ b/content/momentum/4/executable/index.md @@ -20,7 +20,7 @@ description: "Table of Contents ad summary summarize the adaptive module actions | [ec_lic](/momentum/4/executable/ec-lic) | fetch a new license file from Message Systems | | [ec_log_trace](/momentum/4/executable/ec-log-trace) | parse Momentum log files | | [ec_md5passwd](/momentum/4/executable/ec-md-5-passwd) | changes the password for a system user's password | -| [ec_mta_sts_purge](/momentum/4/executable/ec-mta-sts-purge.md) | remove expired MTA-STS policy files | +| [ec_mta_sts_purge](/momentum/4/executable/ec-mta-sts-purge) | remove expired MTA-STS policy files | | [ec_rotate](/momentum/4/executable/ec-rotate) | rotate Momentum logfiles | | [ec_sendmail](/momentum/4/executable/ec-sendmail) | a sendmail compatibility interface | | [ec_show](/momentum/4/executable/ec-show) | show spool or message information | From fbb9ac144d7739229d4a9f7a3ffa7e0b91d20180 Mon Sep 17 00:00:00 2001 From: Kris Kelley Date: Fri, 14 Jun 2024 10:57:52 -0400 Subject: [PATCH 16/23] EOP-176 tlsa_expire_interval --- content/momentum/4/config-options-summary.md | 1 + content/momentum/4/config/index.md | 1 + .../4/config/ref-tlsa-expire-interval.md | 24 +++++++++++++++++++ 3 files changed, 26 insertions(+) create mode 100644 content/momentum/4/config/ref-tlsa-expire-interval.md diff --git a/content/momentum/4/config-options-summary.md b/content/momentum/4/config-options-summary.md index cca6110c..9eb5325a 100644 --- a/content/momentum/4/config-options-summary.md +++ b/content/momentum/4/config-options-summary.md @@ -352,6 +352,7 @@ The `Version` column indicated the version(s) of Momentum that support the optio | [tls_verified_peer_is_authorized](/momentum/4/config/tls-verified-peer-is-authorized) – Mark requests that use a verified SSL Client certificate as being authorized | sending | false | 4.0 and later | http_listener, listen, pathway, peer | | [tls_verify](/momentum/4/config/tls-verify) – Specify how to handle the remote presented certificate | sending | no | 4.0 and later | binding, binding_group, domain, global | | [tls_verify_mode](/momentum/4/config/tls-verify-mode) – Determine whether a TLS certificates is required | receiving |   | 4.0 and later | ecstream_listener, esmtp_listener, http_listener, listen, pathway, pathway_group, peer, xmpp_listener | +| [tlsa_expire_interval](/momentum/4/config/ref-tlsa-expire-interval) – How often to check for domains with expired DANE TLSA information | sending | 3600 | 4.8 and later | global | | [topology](/momentum/4/4-cluster-config-duravip) *(scope)* – Define the cluster network topology (cluster-specific) | na |   | 4.0 and later | cluster | | [trace_smtp_mode](/momentum/4/config/ref-trace-smtp-mode) – Set the default permissions of trace files | sending | 0640 (*non-dynamic*) | 4.0 and later | global | | [tracking_domain](/momentum/4/config/tracking-domain) – Set the tracking domain to use for engagement tracking in SMTP injections | string | localhost:8080 | 4.1-HF4 (beta) | esmtp_listener, listen, pathway, pathway_group, peer | diff --git a/content/momentum/4/config/index.md b/content/momentum/4/config/index.md index 5f820d16..789ed483 100644 --- a/content/momentum/4/config/index.md +++ b/content/momentum/4/config/index.md @@ -217,6 +217,7 @@ description: "This chapter provides the definitions of the configuration options | [tls_verified_peer_is_authorized](/momentum/4/config/tls-verified-peer-is-authorized) | Marks requests that use a verified SSL Client certificate as being authorized | | [tls_verify](/momentum/4/config/tls-verify) | specify how to handle the remote presented certificate | | [tls_verify_mode](/momentum/4/config/tls-verify-mode) | determine whether a TLS certificate is required | +| [tlsa_expire_interval](/momentum/4/config/ref-tlsa-expire-interval) | how often to check for domains with expired DANE TLSA information | | [trace_smtp_mode](/momentum/4/config/ref-trace-smtp-mode) | set the default permissions of trace files | | [tracking_domain](/momentum/4/config/tracking-domain) | set the tracking domain to use for engagement tracking in SMTP injections | | [tracking_link_expiry](/momentum/4/config/tracking-link-expiry) | set the expiration time for engagement tracking for SMTP injections | diff --git a/content/momentum/4/config/ref-tlsa-expire-interval.md b/content/momentum/4/config/ref-tlsa-expire-interval.md new file mode 100644 index 00000000..cd50d49e --- /dev/null +++ b/content/momentum/4/config/ref-tlsa-expire-interval.md @@ -0,0 +1,24 @@ +--- +lastUpdated: "03/26/2024" +title: "tlsa_expire_interval" +description: "tlsa expire interval how often to check for domains with expired DANE TLSA record information dns tlsa expire interval" +--- + + +## Name + +tlsa_expire_interval — how often to check for domains with expired DANE TLSA information + +## Synopsis + +`tlsa_expire_interval = 120` + +## Description + +How often the garbage collector should check for domains with expired DANE TLSA record entries and remove them. This information is normally refreshed during regular DNS record refresh, but if domains have not been used in a long time, this will remove those unneeded entries. + +The default is `3600` seconds. + +## Scope + +`tlsa_expire_interval` is valid in the global scope. \ No newline at end of file From 4a48525a0725848184297eb3b3b79e70870e99de Mon Sep 17 00:00:00 2001 From: Kris Kelley Date: Mon, 17 Jun 2024 14:52:23 -0400 Subject: [PATCH 17/23] EOP-134 Fix documentation for ec_ssl_SSL_CTX_fixup --- .../3-api/hooks-core-ec-ssl-ssl-ctx-fixup.md | 29 +++++++------------ 1 file changed, 11 insertions(+), 18 deletions(-) diff --git a/content/momentum/3/3-api/hooks-core-ec-ssl-ssl-ctx-fixup.md b/content/momentum/3/3-api/hooks-core-ec-ssl-ssl-ctx-fixup.md index 83d55d53..47352061 100644 --- a/content/momentum/3/3-api/hooks-core-ec-ssl-ssl-ctx-fixup.md +++ b/content/momentum/3/3-api/hooks-core-ec-ssl-ssl-ctx-fixup.md @@ -13,23 +13,16 @@ ec_ssl_SSL_CTX_fixup — This hook provides an opportunity for modules to alter `#include "hooks/core/ec_ssl_SSL_CTX_fixup.h"` -| `void **core_ec_ssl_SSL_CTX_fixup** (` | closure, |   | -|   | sslctx, |   | -|   | type, |   | -|   | domain, |   | -|   | certfile, |   | -|   | keyfile, |   | -|   | clientca, |   | -|   | cipher_list`)`; |   | - -`void * closure`; -`struct ssl_ctx_st * sslctx`; -`int type`; -`const char * domain`; -`const char * certfile`; -`const char * keyfile`; -`const char * clientca`; -`const char * cipher_list`; +``` +void core_ec_ssl_SSL_CTX_fixup (void *closure, + struct ssl_ctx_st *ctx, + int type, + const char *domain, + const char *certfile, + const char *keyfile, + const char *clientca, + const char *cipher_list); +``` ## Description This hook is called after the SSL_CTX (struct ssl_ctx_st) context has been allocated, but before the private key has been loaded. @@ -55,7 +48,7 @@ A pointer to the closure.
-An `ec_ssl_ctx` struct. For documentation of this data structure see [“ec_ssl_ctx”](/momentum/3/3-api/structs-ec-ssl-ctx). +This struct would be passed as-is to OpenSSL functions as the SSL_CTX parameter.
From c1c29b32206a7fc1d24fced6907a6746e12373fa Mon Sep 17 00:00:00 2001 From: Julie Zhao Date: Tue, 18 Jun 2024 09:49:34 -0400 Subject: [PATCH 18/23] typos --- content/momentum/4/config/mta-sts/mta-sts-policy-store.md | 2 +- content/momentum/4/console-commands/mta-sts.md | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/content/momentum/4/config/mta-sts/mta-sts-policy-store.md b/content/momentum/4/config/mta-sts/mta-sts-policy-store.md index 3464d11b..18840994 100644 --- a/content/momentum/4/config/mta-sts/mta-sts-policy-store.md +++ b/content/momentum/4/config/mta-sts/mta-sts-policy-store.md @@ -24,4 +24,4 @@ The default value is `/var/spool/ecelerity/mtasts`. ## Scope -`mta_sts_dns_cname_max_depth` is valid in the global scope. +`mta_sts_policy_store` is valid in the global scope. diff --git a/content/momentum/4/console-commands/mta-sts.md b/content/momentum/4/console-commands/mta-sts.md index 1246cdc7..16304434 100644 --- a/content/momentum/4/console-commands/mta-sts.md +++ b/content/momentum/4/console-commands/mta-sts.md @@ -13,9 +13,9 @@ mta_sts - commands for MTA-STS related data `mta_sts list all` -`mta-sts show domain {domain name}` +`mta_sts show domain {domain name}` -`mta-sts refresh policy {domain name}` +`mta_sts refresh policy {domain name}` ## Description From fd27016309fed50f6618da076e97e735b0e61b26 Mon Sep 17 00:00:00 2001 From: Kris Kelley Date: Tue, 18 Jun 2024 10:00:21 -0400 Subject: [PATCH 19/23] tweaks as per review --- content/momentum/4/executable/ec-mta-sts-purge.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/content/momentum/4/executable/ec-mta-sts-purge.md b/content/momentum/4/executable/ec-mta-sts-purge.md index c3e40b7f..2ce660b1 100644 --- a/content/momentum/4/executable/ec-mta-sts-purge.md +++ b/content/momentum/4/executable/ec-mta-sts-purge.md @@ -21,7 +21,7 @@ ec_mta_sts_purge — Remove expired MTA-STS policies from the file system The **ec_mta_sts_purge** command is a utility script used to remove expired MTA-STS policies from the file system. -Momentum caches MTA-STS policies on the file system. This is to reduce how often Momentum needs to fetch the policies using HTTP. This also prevents a large number of fetches on a restart. These policies will normally get updated regularly, but if some domains have not been used for a long time, this command can be used to delete the expired policy files for these domains from the file system. +Momentum caches MTA-STS policies on the file system. This is to reduce how often Momentum needs to fetch the policies using HTTPS. This also prevents a large number of fetches on a restart. These policies will normally get updated regularly, but if some domains have not been used for a long time, this command can be used to delete the expired policy files for these domains from the file system. ### Note @@ -31,7 +31,7 @@ The following options change the behavor of the **ec_mta_sts_purge** command:
-
-dir *`directory`*
+
-dir directory
From 90c981ffc2f70350c0a13c9032f54c710bcd5e0f Mon Sep 17 00:00:00 2001 From: Doug Koerich Date: Fri, 21 Jun 2024 15:10:07 -0300 Subject: [PATCH 20/23] EOP-208: New release 4.8 for Momentum Signed-off-by: Doug Koerich --- content/momentum/4/index.md | 5 +++-- content/momentum/4/modules/4-adaptive.md | 2 +- content/momentum/changelog/4/4-8.md | 19 +++++++++++++++++++ content/momentum/changelog/4/index.md | 3 ++- content/momentum/navigation.yml | 2 ++ 5 files changed, 27 insertions(+), 4 deletions(-) create mode 100644 content/momentum/changelog/4/4-8.md diff --git a/content/momentum/4/index.md b/content/momentum/4/index.md index 3f42a452..060581d4 100644 --- a/content/momentum/4/index.md +++ b/content/momentum/4/index.md @@ -6,7 +6,7 @@ description: "Message Systems Inc Copyright 2014-2023 Message Systems Inc Confid ### Message Systems, Inc. -Copyright © 2014-2023 Message Systems, Inc. +Copyright © 2014-2024 Message Systems, Inc. @@ -16,12 +16,13 @@ Confidential & Proprietary. This book documents Momentum 4. -Document generated on: 2023-Oct-26 +Document generated on: 2024-Jun-30 --- ### Momentum 4.x Changelogs +- [Momentum 4.8 Changelogs](/momentum/changelog/4/4-8) - [Momentum 4.7 Changelogs](/momentum/changelog/4/4-7) - [Momentum 4.6 Changelogs](/momentum/changelog/4/4-6) - [Momentum 4.4.1 Changelogs](/momentum/changelog/4/4-4-1) diff --git a/content/momentum/4/modules/4-adaptive.md b/content/momentum/4/modules/4-adaptive.md index 1f9f6e1c..9e013335 100644 --- a/content/momentum/4/modules/4-adaptive.md +++ b/content/momentum/4/modules/4-adaptive.md @@ -1,5 +1,5 @@ --- -lastUpdated: "03/26/2020" +lastUpdated: "06/30/2024" title: "adaptive – Adaptive Delivery" description: "Adaptive Delivery AD provides the ability to dynamically tune parameters to help manage your outbound mail traffic in a way that is more in line with the best practices in use by receivers AD also helps maintain and improve your sending reputation and makes better use of system resources Using..." --- diff --git a/content/momentum/changelog/4/4-8.md b/content/momentum/changelog/4/4-8.md new file mode 100644 index 00000000..b63d90af --- /dev/null +++ b/content/momentum/changelog/4/4-8.md @@ -0,0 +1,19 @@ +--- +lastUpdated: "06/30/2023" +title: "Momentum 4.8 Changelog" +description: "Momentum 4.8 was released on 2024-06-30. This section will list all of the major changes that happened with the release of Momentum 4.8. Depending on installation type, all changes may not be applicable" +--- + +This section will list all of the major changes that happened with the release of **Momentum 4.8**. Depending on installation type, all changes may not be applicable + + + +| Type | Ticket | Description | +| --- | --- | --- | +| Fix | EOP-92 | Bounce message with a good CNAME but with NXDOMAIN for the aliased MX | +| Fix | EOP-143 | On Adaptive Delivery suspension, parameters can now be read from cached values | +| Security Fix | EOP-174 | Updated minor version of NodeJS (now 20.13.1) | +| Feature | | New msys-c-ares package with DNS resolver library | +| Feature | | Support for MTA-STS (MTA Strict Transport Security) | +| Feature | | Support for DANE (DNS-based Authentication of Named Entities) | +| Feature | | Support for Signaling One-Click in Engagement API | diff --git a/content/momentum/changelog/4/index.md b/content/momentum/changelog/4/index.md index d4c75cda..33b55dcc 100644 --- a/content/momentum/changelog/4/index.md +++ b/content/momentum/changelog/4/index.md @@ -1,11 +1,12 @@ --- -lastUpdated: "09/20/2023" +lastUpdated: "06/30/2024" title: "Category File" type: "custom" name: "Momentum 4.x Changelogs" description: "Momentum 4.x Changelogs" --- +* [Momentum 4.8 Changelogs](/momentum/changelog/4/4-8) * [Momentum 4.7 Changelogs](/momentum/changelog/4/4-7) * [Momentum 4.6 Changelogs](/momentum/changelog/4/4-6) * [Momentum 4.4.1 Changelogs](/momentum/changelog/4/4-4-1) diff --git a/content/momentum/navigation.yml b/content/momentum/navigation.yml index efc5a5ba..0ed843af 100644 --- a/content/momentum/navigation.yml +++ b/content/momentum/navigation.yml @@ -1965,6 +1965,8 @@ - link: /momentum/changelog/4 title: Momentum 4.x Changelog items: + - link: /momentum/changelog/4/4-8 + title: Momentum 4.8 Changelog - link: /momentum/changelog/4/4-7 title: Momentum 4.7 Changelog - link: /momentum/changelog/4/4-6 From 06fc966e5cb340dcd09eccbcd189110eee74f7f9 Mon Sep 17 00:00:00 2001 From: Doug Koerich Date: Fri, 21 Jun 2024 17:28:06 -0300 Subject: [PATCH 21/23] EOP-208: minor fixes and clarifications Signed-off-by: Doug Koerich --- content/momentum/4/index.md | 4 ++-- content/momentum/changelog/4/4-8.md | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/content/momentum/4/index.md b/content/momentum/4/index.md index 060581d4..2a866465 100644 --- a/content/momentum/4/index.md +++ b/content/momentum/4/index.md @@ -1,7 +1,7 @@ --- -lastUpdated: "10/26/2023" +lastUpdated: "06/30/2024" title: "Momentum 4.x" -description: "Message Systems Inc Copyright 2014-2023 Message Systems Inc Confidential Proprietary Abstract This book documents Momentum 4 Document generated on 2023 Oct 26 Table of Contents Preface 1 Typographical Conventions Used in This Document I Introduction to Momentum 1 Components 2 Life of A Message 3 Roles and Behaviors 4 Licensed..." +description: "Message Systems Inc Copyright 2014-2024 Message Systems Inc Confidential Proprietary Abstract This book documents Momentum 4 Document generated on 2024 Jun 30 Table of Contents Preface 1 Typographical Conventions Used in This Document I Introduction to Momentum 1 Components 2 Life of A Message 3 Roles and Behaviors 4 Licensed..." --- ### Message Systems, Inc. diff --git a/content/momentum/changelog/4/4-8.md b/content/momentum/changelog/4/4-8.md index b63d90af..7cb12654 100644 --- a/content/momentum/changelog/4/4-8.md +++ b/content/momentum/changelog/4/4-8.md @@ -1,5 +1,5 @@ --- -lastUpdated: "06/30/2023" +lastUpdated: "06/30/2024" title: "Momentum 4.8 Changelog" description: "Momentum 4.8 was released on 2024-06-30. This section will list all of the major changes that happened with the release of Momentum 4.8. Depending on installation type, all changes may not be applicable" --- @@ -13,7 +13,7 @@ This section will list all of the major changes that happened with the release o | Fix | EOP-92 | Bounce message with a good CNAME but with NXDOMAIN for the aliased MX | | Fix | EOP-143 | On Adaptive Delivery suspension, parameters can now be read from cached values | | Security Fix | EOP-174 | Updated minor version of NodeJS (now 20.13.1) | -| Feature | | New msys-c-ares package with DNS resolver library | +| Feature | | New **msys-c-ares** package with third-party c-ares DNS resolver library (version 1.29.0) | | Feature | | Support for MTA-STS (MTA Strict Transport Security) | | Feature | | Support for DANE (DNS-based Authentication of Named Entities) | | Feature | | Support for Signaling One-Click in Engagement API | From d8f5f82b35573b14520539bcc0f07debeecbfcd0 Mon Sep 17 00:00:00 2001 From: Doug Koerich Date: Wed, 3 Jul 2024 09:43:06 -0300 Subject: [PATCH 22/23] EOP-208: Change from review Signed-off-by: Doug Koerich --- content/momentum/changelog/4/4-8.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/content/momentum/changelog/4/4-8.md b/content/momentum/changelog/4/4-8.md index 7cb12654..40e9f19b 100644 --- a/content/momentum/changelog/4/4-8.md +++ b/content/momentum/changelog/4/4-8.md @@ -11,9 +11,9 @@ This section will list all of the major changes that happened with the release o | Type | Ticket | Description | | --- | --- | --- | | Fix | EOP-92 | Bounce message with a good CNAME but with NXDOMAIN for the aliased MX | -| Fix | EOP-143 | On Adaptive Delivery suspension, parameters can now be read from cached values | | Security Fix | EOP-174 | Updated minor version of NodeJS (now 20.13.1) | | Feature | | New **msys-c-ares** package with third-party c-ares DNS resolver library (version 1.29.0) | -| Feature | | Support for MTA-STS (MTA Strict Transport Security) | -| Feature | | Support for DANE (DNS-based Authentication of Named Entities) | +| Feature | | Support for [MTA-STS](/momentum/4/mta-sts) (MTA Strict Transport Security) | +| Feature | | Support for [DANE](/momentum/4/modules/dane) (DNS-based Authentication of Named Entities) | | Feature | | Support for Signaling One-Click in Engagement API | +| Feature | | On Adaptive Delivery suspension, parameters can now be read from cached values | From 9827faf76c5776b18707458210997f7ca343c3d0 Mon Sep 17 00:00:00 2001 From: Julie Zhao Date: Mon, 8 Jul 2024 12:51:46 -0400 Subject: [PATCH 23/23] EOP-209: DANE doc (#767) --- content/momentum/4/config/enable-dane.md | 29 +++++ content/momentum/4/config/index.md | 3 + content/momentum/4/config/ref-debug-flags.md | 1 + .../momentum/4/config/tlsa-expire-interval.md | 26 +++++ content/momentum/4/config/use-dane.md | 30 ++++++ content/momentum/4/modules/dane.md | 100 ++++++++++++++++++ content/momentum/4/modules/index.md | 1 + .../momentum/4/modules/summary-all-modules.md | 3 +- content/momentum/navigation.yml | 2 + 9 files changed, 194 insertions(+), 1 deletion(-) create mode 100644 content/momentum/4/config/enable-dane.md create mode 100644 content/momentum/4/config/tlsa-expire-interval.md create mode 100644 content/momentum/4/config/use-dane.md create mode 100644 content/momentum/4/modules/dane.md diff --git a/content/momentum/4/config/enable-dane.md b/content/momentum/4/config/enable-dane.md new file mode 100644 index 00000000..0765917f --- /dev/null +++ b/content/momentum/4/config/enable-dane.md @@ -0,0 +1,29 @@ +--- +lastUpdated: "06/01/2024" +title: "enable_dane" +description: "config option to enable application of DANE TLS verification for outbound mails" +--- + + +## Name + +enable_dane — specify whether Momentum should apply DANE TLS verification for outbound emails + +## Synopsis + +`enable_dane = "true|false"` + +## Description + +This option is only effective when [dane module](/momentum/4/modules/dane) is configured and + [use_dane](/momentum/4/config/use-dane) is `true` for a recipient domain. + +This option specifies whether Momentum should try to apply the DANE TLS verification rules defined + in TLSA record when sending emails to a remote site. + +The default value is `true` when `use_dane` is `true` for a domain. + + +## Scope + +`enable_dane` is valid in the binding, binding_group, domain and global scopes. diff --git a/content/momentum/4/config/index.md b/content/momentum/4/config/index.md index b2d056c2..e9527aa3 100644 --- a/content/momentum/4/config/index.md +++ b/content/momentum/4/config/index.md @@ -75,6 +75,7 @@ description: "This chapter provides the definitions of the configuration options | [ecstream_timeout](/momentum/4/config/ref-ecstream-timeout) | the amount of time to wait for an ecstream connection to be established | | [ehlo_hostname](/momentum/4/config/ref-ehlo-hostname) | set the hostname used for EHLO in outbound mail | | [ehlo_timeout](/momentum/4/config/ref-ehlo-timeout) | network timeout for EHLO | +| [enable_dane](/momentum/4/config/enable-dane) | enable application of DANE TLS verification on email delivery to a remote domain | | [enable_fbl_header_insertion](/momentum/4/config/ref-enable-fbl-header-insertion) | enable or disable fbl header insertion | | [enable_mta_sts](/momentum/4/config/mta-sts/enable-mta-sts) | enable application of MTA-STS policy on email delivery to a remote domain | | [event_loop](/momentum/4/config/ref-event-loop) | associate a pool of event loops within a listener scope to use multiple threads | @@ -220,6 +221,7 @@ description: "This chapter provides the definitions of the configuration options | [tls_verified_peer_is_authorized](/momentum/4/config/tls-verified-peer-is-authorized) | Marks requests that use a verified SSL Client certificate as being authorized | | [tls_verify](/momentum/4/config/tls-verify) | specify how to handle the remote presented certificate | | [tls_verify_mode](/momentum/4/config/tls-verify-mode) | determine whether a TLS certificate is required | +| [tlsa_expire_interval](/momentum/4/config/tlsa-expire-interval) | how often to check for expired TLSA records | | [trace_smtp_mode](/momentum/4/config/ref-trace-smtp-mode) | set the default permissions of trace files | | [tracking_domain](/momentum/4/config/tracking-domain) | set the tracking domain to use for engagement tracking in SMTP injections | | [tracking_link_expiry](/momentum/4/config/tracking-link-expiry) | set the expiration time for engagement tracking for SMTP injections | @@ -227,6 +229,7 @@ description: "This chapter provides the definitions of the configuration options | [transform_8bitmime_content](/momentum/4/config/ref-transform-8-bitmime-content) | Enable 8BITMIME downconversion when sending mail | | [unlink_on_spool_in_failure](/momentum/4/config/ref-unlink-on-spool-in-failure) | Whether or not to remove malformed messages | | [_unsafe_spool](/momentum/4/config/ref-unsafe-spool) | allow dangerous spool semantics to be used | +| [use_dane](/momentum/4/config/use-dane) | enable DNSSEC validation on MX/A records, if both secure, TLSA record is fetched and DNSSEC validation is done for a domain | | [use_iflist_cache](/momentum/4/config/ref-use-iflist-cache) | Whether or not to cache the list of network interfaces configured by the system | | [use_ipv6](/momentum/4/config/ref-use-ipv-6) | Affects the selection of IPv6 hosts in the SMTP client | | [use_mmap](/momentum/4/config/ref-use-mmap) | use mmap when spooling messages from disk | diff --git a/content/momentum/4/config/ref-debug-flags.md b/content/momentum/4/config/ref-debug-flags.md index 3bcd7852..cacdd02f 100644 --- a/content/momentum/4/config/ref-debug-flags.md +++ b/content/momentum/4/config/ref-debug-flags.md @@ -65,6 +65,7 @@ Debug_Flags { | File Descriptors | FD | | SMTP | SMTP | | LOG1 | LOG1 | +| DANE | DANE | | DNS | DNS | | DNS data structures | DNSDS | | MTA-STS | MTA_STS | diff --git a/content/momentum/4/config/tlsa-expire-interval.md b/content/momentum/4/config/tlsa-expire-interval.md new file mode 100644 index 00000000..903e1491 --- /dev/null +++ b/content/momentum/4/config/tlsa-expire-interval.md @@ -0,0 +1,26 @@ +--- +lastUpdated: "06/01/2024" +title: "tlsa_expire_interval" +description: "tlsa expire interval how often to check for expired TLSA DNS records" +--- + +## Name + +tlsa_expire_interval — how often to check for expired TLSA records + +## Synopsis + +`tlsa_expire_interval = 3600` + +## Description + +How often the garbage collector should check for expired TLSA records. During email delivery, + a related TLSA record will be checked for expiration and removed from memory if expired. + The purpose of garbage collection controlled by this configuration option is to retire + the stale TLSA records which are not actively in use. + +The default is `3600` seconds. + +## Scope + +`tlsa_expire_interval` is valid in the global scope. diff --git a/content/momentum/4/config/use-dane.md b/content/momentum/4/config/use-dane.md new file mode 100644 index 00000000..de88605a --- /dev/null +++ b/content/momentum/4/config/use-dane.md @@ -0,0 +1,30 @@ +--- +lastUpdated: "06/01/2024" +title: "use_dane" +description: "config option to enable DANE TLSA DNS lookup for a domain" +--- + + +## Name + +use_dane — specify whether Momentum should check DNS record DNSSEC status and look up TLSA + records if applicable. + +## Synopsis + +`use_dane = "true|false"` + +## Description + +This option is only effective when [dane module](/momentum/4/modules/dane) is configured. + +This option specifies whether Momentum shall check the DNSSEC status of a domain's MX and A record, + and if both pass DNSSEC validation, corresponding TLSA record will be fetched and DNSSEC status + checked. + +The default value is `false`. + + +## Scope + +`use_dane` is valid in the domain and global scopes. diff --git a/content/momentum/4/modules/dane.md b/content/momentum/4/modules/dane.md new file mode 100644 index 00000000..21092cdb --- /dev/null +++ b/content/momentum/4/modules/dane.md @@ -0,0 +1,100 @@ +--- +lastUpdated: "06/01/2024" +title: "DANE support" +description: "DANE support TLSA DNSSEC" +--- + +The dane module handles DANE related DNS lookups and outbound STARTTLS enforcement and + verifications. + +DANE (DNS-Based Authentication of Named Entities) is a standard for improving transport security. + [RFC 7672](https://datatracker.ietf.org/doc/html/rfc7672) describes the use of DANE for improving + SMTP security between MTAs. + +Momentum has supported STARTTLS for a long time. The use of STARTTLS for establishing channel + security (encrypting the channel) can be achieved via the use of [tls](/momentum/4/config/ref-tls), + [tls_verify](/momentum/4/config/tls-verify) configuration options. + +DANE for SMTP security allows the remote side to enforce the use of STARTTLS whenever clients like + Momentum connect to the site to transfer email. RFC 7672 describes various methods through which + remote sites could advertise the availability of STARTTLS with them, and whether they require + the connecting clients to always use STARTTLS when communicating with them. + DANE requires that the DNS resolver support DNSSEC, a secure way of looking up DNS records. + Google DNS (8.8.8.8) is an example of a DNS lookup service that supports DNSSEC. + +Momentum 4.8 and above supports the use of DANE for enforcing SMTP security. + When DANE is enabled, Momentum must be configured with a DNS resolver that supports DNSSEC in order + for DANE to work properly. + If the new [dane module](/momentum/4/modules/dane) is enabled and the new directive + [use_dane](/momentum/4/config/use-dane) for a domain is set to `true`, + Momentum will lookup the remote site's STARTTLS preferences (through DNS resolution) and use that + information to influence whether STARTTLS is established or not with the remote site prior to + transferring email to it. If the remote site requires the use of STARTTLS, Momentum will only + transfer email to the remote site if STARTTLS was successful in establishing an encrypted channel + to the remote site. And, in accordance with the DANE standard, Momentum will attempt to verify + the certificate presented by the remote host during STARTTLS based on the fingerprints it obtained + through DNS TLSA records. If the remote site is strict about the use of STARTTLS, + and Momentum could not perform STARTTLS successfully (e.g, Momentum failed to verify that the + fingerprint of the certificate presented by the remote site matches the fingerprint of the + certificate specified in the TLSA DNS records), Momentum will not transfer email to the remote + server. Email is held in the queue until Momentum can establish STARTTLS successfully in accordance + with DANE protocol with the remote site. + +See RFC 7672 for more descriptions on how certificate matching is specified via the use of + TLSA DNS records. Please contact support if you have any further questions about DANE protocol. + +DANE works independently from and takes preference over the configuration controlled STARTTLS + behavior. + +When [MTA-STS](/momentum/4/mta-sts) is also enabled on a binding domain, + MTA-STS policy will apply to MX selection for + email delivery, but if secure TLSA record is available, only the DANE TLS validation will be + applied to establish the STARTTLS connection. If DANE TLS failed, no fallback to other + verification means (e.g. MTA-STS, or administrator configured STARTTLS behaviors defined by + [tls](/momentum/4/config/ref-tls) or [tls_verify](/momentum/4/config/tls-verify)). + +### Configuration + +You need to enable the dane module in the ecelerity configuration file to use the feature: + +``` +dane {} +``` + +### Note +With dane module enabled, you still need to have the following global/binding/domain scope + configuration options to fully enable the feature application on email sending. + +- [use_dane](/momentum/4/config/use-dane) +- [enable_dane](/momentum/4/config/enable-dane) + +The following configuration is the minimum needed to enable DANE TLSA lookup and TLS verification +for all domains: + +``` +dane {} +use_dane = true +``` + +[domain](/momentum/4/console-commands/domain) command is updated to show the TLSA record if available, + and a flag of `+dnssec` is added to each DNS record to indicate that they are DNSSEC + validated. An example is shown here: + +``` +Domain 'comcast.net' has 8 MXs and a TTL of 58 seconds +dnssec + [50 mx2c1.comcast.net. TTL:7198] +dnssec +TLSA '_25._tcp.mx2c1.comcast.net' has a TTL of 120 seconds +dnssec + 3 1 1 29b116c43593748345aa7f4c43717e792f94137a88b93d674de2ce1162f98625 + [96.102.18.146]:0 IPv4 (0.00ms con 0.00ms dlv)\ +... +``` + + +## Other DANE Related Configuration Options + +- [tlsa_expire_interval](/momentum/4/config/tlsa-expire-interval) + + +## Related [Debug_Flags](/momentum/4/config/ref-debug-flags) +- DANE + diff --git a/content/momentum/4/modules/index.md b/content/momentum/4/modules/index.md index 4fc70ceb..16490713 100644 --- a/content/momentum/4/modules/index.md +++ b/content/momentum/4/modules/index.md @@ -34,6 +34,7 @@ description: "Table of Contents 71 1 Introduction 71 2 ac auth Authentication Ha | [csapi](/momentum/4/modules/csapi) | Symantec CSAPI Antivirus Support | | [custom_bounce_logger](/momentum/4/modules/custom-bounce-logger) | Custom Bounce Logging | | [custom_logger](/momentum/4/modules/custom-logger) | User-defined Logging | +| [dane](/momentum/4/modules/dane) | DANE related DNS Lookups and TLS Verifications | | [delay_dsn](/momentum/4/modules/delay-dsn) | Delay DSN Generation | | [dnsbuf](/momentum/4/modules/dnsbuf) | Dynamically Set the DNS UDP Buffer Size | | [domainkeys](/momentum/4/modules/domainkeys) | Yahoo! DomainKeys | diff --git a/content/momentum/4/modules/summary-all-modules.md b/content/momentum/4/modules/summary-all-modules.md index 5fd08877..22031ab1 100644 --- a/content/momentum/4/modules/summary-all-modules.md +++ b/content/momentum/4/modules/summary-all-modules.md @@ -38,6 +38,7 @@ All modules are listed alphabetically with a brief description. Singleton module | [“csapi – Symantec CSAPI Antivirus Support”](/momentum/4/modules/csapi) | 4.0 | Integration for Symantec content scanners |   |   |  ✓ |   | | [“custom_bounce_logger – Custom Bounce Logging”](/momentum/4/modules/custom-bounce-logger) | 4.2 | Append a "User_String" to the end of each bounce record |  ✓ |   |   | [“bounce_logger – Momentum-Style Bounce Logging”](/momentum/4/modules/bounce-logger) | | [“custom_logger – User-defined Logging”](/momentum/4/modules/custom-logger) | 4.0 | Create custom logs |   |   |   |   | +| ["dane - DNS-based Authentication of Named Entities"](/momentum/4/modules/dane) | 4.8 | Support for DANE |   |   |   |   | | [“delay_dsn – Delay DSN Generation”](/momentum/4/modules/delay-dsn) | 4.0 | Configure and send delay DSNs |   |   |   |   | | [dk_sign](/momentum/4/modules/domainkeys) | 4.0 | Attach domain keys signatures to outbound mail |   |   |  ✓ |   | | [dk_validate](/momentum/4/modules/domainkeys) | 4.0 | Validate inbound mail checking domain keys signatures |   |   |  ✓ |   | @@ -97,4 +98,4 @@ All modules are listed alphabetically with a brief description. Singleton module | [“suppress_spool – Deferred Message Spooling”](/momentum/4/modules/suppress-spool) | 4.0 | Defer spool attempts |   |   |   |   | | [“syslog_io – The syslog_io Module”](/momentum/4/modules/syslog-io) (*singleton*) | 4.0 | Use the syslog wrapper to write entries to the log |  ✓ |   |   |   | | [“tls_macros – TLS-related Logging”](/momentum/4/4-tls-macros) | 4.0 | Provide several macros supporting custom logging of TLS-related data |   |   |   |   | -| [“url_ripper – URL Extraction”](/momentum/4/modules/url-ripper) | 4.0 | A toolkit for DNS-based content correlation |   |   |  ✓ |   | \ No newline at end of file +| [“url_ripper – URL Extraction”](/momentum/4/modules/url-ripper) | 4.0 | A toolkit for DNS-based content correlation |   |   |  ✓ |   | diff --git a/content/momentum/navigation.yml b/content/momentum/navigation.yml index 4340432d..0ca1eae8 100644 --- a/content/momentum/navigation.yml +++ b/content/momentum/navigation.yml @@ -513,6 +513,8 @@ title: Using Complex Templates - link: /momentum/4/mta-sts title: MTA-STS support + - link: /momentum/4/modules/dane + title: DANE support - link: /momentum/4/http-api-stats title: Stats HTTP API items: