Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Add TLS/STARTTLS support

See original GitHub issue

Hi, first of all: Thanks for this incredible service. I really love it! ❤️

Unfortunately, I noticed that the main instance, kill-the-newsletter.com (thanks for hosting) does not support STARTTLS, which is a no-go IMO. The used smtp-server library has support for it, but you disable it.

Enabling support seems to be relatively easy: First, do not disable the STARTTLS command. Second, set up key, cert and eventually ca parameters to point to the certificate you already have for HTTPS.

Congrats, you have enabled encryption! 🎊

Additionally, if you are already at it, check recommendations from internet.nl:

Add a DANE record pinning the Let’s Encrypt CA certificates. Pinning the two CA certificates makes the TLSA records safe for the next decades. You just have to stick to Let’s Encrypt. They should be:
```
# ISRG Root X1
_25._tcp.kill-the-newsletter.com.	10800	IN	TLSA	2 1 1 0b9fa5a59eed715c26c1020c711b4f6ec42d58b0015e14337a39dad301c5afc3
# ISRG Root X2
_25._tcp.kill-the-newsletter.com.	10800	IN	TLSA	2 1 1 762195c225586ee6c0237456e2107dc54f1efc21f61a792ebd515913cce68332
```
You already have the required DNSSEC on the kill-the-newsletter.com domain. You can use this test page if you have deployed it.
Add IPv6 support to the mail server. It’s 2022, IPv6 should be supported by default. And as you only receive mails, you should not fear deliverability problems.
Avoid misuse of your domain for spam. Also see this Cloudflare article.
- Add a SPF record. If you never send email from your domain, just set
```
kill-the-newsletter.com.	10800	IN	TXT	"v=spf1 -all"
```
  Alternatively v=spf1 mx -all to allow the mail server to send mail.
- Eventually add a null DKIM record as described by the Cloudflare article. Cloudflare wants to set the wildcard record *._domainkey.kill-the-newsletter.com, check if your DNS provider supports wildcard records.
- Add a DMARC record rejecting mail for failing SPF/DKIM checks
```
_dmarc.kill-the-newsletter.com.	10800	IN	TXT	"v=DMARC1; p=reject;"
```

You can also consult hardenize.com for great email server reports.

Issue Analytics

State:
Created a year ago
Comments:5 (2 by maintainers)

Top GitHub Comments

1reaction

leafaccommented, Sep 25, 2022

Fair enough. Thanks for investigating. I’ll update some things about Kill the Newsletter! in the near future and include the STARTTLS in the process.

0reactions

Mynacolcommented, Oct 13, 2022

Just a quick reminder from my side

Top Results From Across the Web

SSL, TLS, and STARTTLS - Fastmail Help

This is an informational page about the history of SSL, TLS, and STARTTLS and the differences between these protocols. If you are looking...

Enable Transport Layer Security (TLS) 1.2 overview

Overview of how to enable TLS 1.2 for Configuration Manager.

Guide to setting up STARTTLS support - Hexamail

This is a guide to setting up STARTTLS support on your server ... Follow their instructions to purchase and install the certificate on...

What Are SSL, TLS, & STARTTLS Email Encryption? - SparkPost

SparkPost's incoming API calls use HTTPS (the secure version of HTTP) and are SSL/TLS encrypted. If you choose to enable Encryption: STARTTLS, then...

STARTTLS vs SSL vs TLS Explained in 5 Minutes | Mailtrap Blog

with Opportunistic SSL/TLS (aka Explicit SSL/TLS), a client will run a STARTTLS command to upgrade a connection to an encrypted one. If a...