Introducing MTA-STS and TLS Tools

Introducing a couple new tools to assist fellow postmasters with their deployments. Use these tools for quick spot checks of your configuration.

The MTA-STS Validator

Our MTA-STS Validator performs a full review of your MTA-STS policy, optionally including interacting with your MX hosts to make sure everything is in order. A report of the results is produced within a few seconds, indicating any issues needing your attention.

The tool will review the following:

  • MX records of the domain
  • Presence of the required DNS records
  • Availability of the MTA-STS policy through HTTPS, with valid certificates and without redirects
  • Correctness of the MTA-STS policy
  • Matching of the MTA-STS policy-allowed MX hosts and your actual MX hosts
  • Optionally, connect to each MX host and verify STARTTLS availability and certificates

The resulting report quickly presents any areas of concern. Note that we report the lack of DNSSEC as a warning. We’re strong believers in DNSSEC, which is why we would like to push for its wider adoption.

The TLS Checker

Our TLS Checker is a tool to assist you in ensuring your certificate setup is correct. It supports plain TLS, STARTTLS and PostgreSQL protocols. Use plain TLS to check your webserver’s certificates. Use STARTTLS to verify the certificates of your SMTP, POP or IMAP servers.

The resulting report will provide the following information:

  • Certificate issuer and serial number
  • Days left and validity period for the certificate
  • Names and host patterns covered by this certificate

In addition, the checker also verifies the TLS version and cipher suite negotiated by your server, providing feedback on the choices.