To enable TLSRPT, define a DNS record at _smtp._tls.yourdomain.name
. Refer to RFC8460 for the policy syntax. Basically, you decide whether you want to receive reports via mail or via web. In the following, we assume via mail. Normally, you receive daily reports saying everything is fine.
The following script reads the report attached to the input message looking for failures. If it finds any, it adds a special header field, TLS-Report-Has-Failures
that you can check in your mail filter in order to redirect the message to other recipients/ folders in that case.
Copy and paste the script to your editor of choice. Note that it uses \n
line endings. Add \r
if needed. Also, the script writes to stderr
. You may want to replace that with syslog if your filter doesn't do that for you. You may also want to tweak email.policy. When you're done, save the file where your mail filter can reach it.
TLS reports are normally filed in a self-emptying IMAP folder. However, sometimes you get 'total-failure-session-count': 2
. IME, these are due to the firewall temporarily blocking connections after network abuse, which includes blatant spam. As it happens, those who send TLS reports are too big to block. That's why the script also copies the relevant IP numbers in the message body, so that you can speed-remove them from the firewall without having to unzip the attachment.
Copyright (C) 2022 Alessandro Vesely, all rights reserved except as noted.