mta-sts-daemon.yml - configuration file for mta-sts-daemon
This configuration file configures the listening socket, caching
behaviour, and manipulation of MTA-STS mode.
The file is in YAML syntax with the following elements:
host: (str) daemon bind address. Default:
127.0.0.1
port: (int) daemon bind port. Default: 8461
path: (str) daemon UNIX socket bind address (path).
If specified, host and port are ignored and UNIX socket is
bound instead of TCP.
mode: (int) file mode for daemon UNIX socket. If not
specified default filemode is used. This option has effect only when UNIX
socket is used. If file mode specified in octal form (most common case), it
has to be prepended with leading zero. Example: 0666
reuse_port: (bool) allow multiple instances to share
same port (available on Unix, Windows). Default: true
cache_grace: (float) age of cache entries in seconds
which do not require policy refresh and update. Default: 60
shutdown_timeout: (float) time limit granted to
existing client sessions for finishing when server stops. Default: 20
cache
•type: (str:
internal|sqlite|redis|redis_sentinel|postgres)
cache backend type. Default: internal
•
options:
•Options for
internal type:
•cache_size: (int) number of cache
entries to store in memory. Default: 10000
•Options for
sqlite type:
•filename: (str) path to database
file
•threads: (int) number of threads in
pool for SQLite connections. Default: number of CPUs
•timeout: (float) timeout in seconds
for acquiring connection from pool or DB lock. Default: 5
•Options for
redis type:
•All parameters are passed to
aioredis.from_url [0]. Check there for a parameter
reference.
•Options for
redis_sentinel type:
•sentinel_master_name: (str) name of
the sentinel master
•sentinels: (list)(tuple)
list of sentinels in form of IP/FQDN and port
•All other parameters are passed to
aioredis.sentinel.Sentinel [1]. For additional details
check [2].
•Options for
postgres type:
•dsn: (str) database connection
string
proactive_policy_fetching
•enabled: (bool) enable proactive
policy fetching in the background. Default: false
•interval: (int) if proactive policy
fetching is enabled, it is scheduled every this many seconds. It is unaffected
by cache_grace and vice versa. Default: 86400
•concurrency_limit: (int) the
maximum number of concurrent domain updates. Default: 100
•grace_ratio: (float) proactive
fetch for a particular domain is skipped if its cached policy age is less than
interval/grace_ratio. Default: 2.0
default_zone
•strict_testing: (bool) enforce
policy for testing domains. Default: false
•timeout: (int) network operations
timeout for resolver in that zone. Default: 4
•require_sni: (bool) add option
servername=hostname to policy responses to make
Postfix send SNI in TLS handshake as required by RFC 8461. Requires Postfix
version 3.4+. Default: true
•tlsrpt: (bool) include response
attributes for TLSRPT support (Postfix 3.10 and later). Default: false
zones
•
ZONENAME:
•Same as options in default_zone
The timeout is used for the DNS and HTTP requests.
MTA-STS "testing" mode can be interpreted as
"strict" mode. This may be useful (though noncompliant) in the
beginning of MTA-STS deployment, when many domains operate under
"testing" mode.
host: 127.0.0.1
port: 8461
reuse_port: true
shutdown_timeout: 20
proactive_policy_fetching:
enabled: true
interval: 86400
concurrency_limit: 100
grace_ratio: 2
cache:
type: internal
options:
cache_size: 10000
default_zone:
strict_testing: false
timeout: 4
zones:
myzone:
strict_testing: false
timeout: 4
0.
<https://aioredis.readthedocs.io/en/latest/api/high-level/#aioredis.client.Redis.from_url>
1.
<https://aioredis.readthedocs.io/en/latest/getting-started/#redis-sentinel-client>
2.
<https://redis.readthedocs.io/en/stable/connections.html#sentinel-client>