Expand description
RFC 8461 MTA Strict Transport Security (MTA-STS).
MTA-STS lets a receiving domain declare that incoming mail must be delivered over an authenticated TLS connection to one of a named set of MX hostnames. A sending MTA that supports STS will:
- Look up
_mta-sts.<recipient-domain>TXT for a record likev=STSv1; id=20200101T000000Z. (StsRecord::parse) - If the
idhas changed since last fetch, GET the policy fromhttps://mta-sts.<recipient-domain>/.well-known/mta-sts.txt. - Parse the policy body. (
Policy::parse) - For each MX returned by normal DNS, check that the MX hostname
matches one of the policy’s
mx:patterns. (mx_matches) - If a match is found, attempt delivery with TLS certificate
verification. If no match is found, the per-policy
modedecides:enforce→ don’t deliver,testing→ deliver and optionally report,none→ ignore policy. ([enforce])
§Scope (1.0)
This crate is pure — no HTTP, no DNS, no clock. The caller brings:
- a DNS layer for the TXT lookup (typically
mailrs-dns), - an HTTPS client for the policy fetch (typically
reqwest), - a clock for
max_ageenforcement, - a
Cacheimpl for theid → Policymapping. We ship an in-memory ref impl (InMemoryCache).
That keeps the stone bounded by RFC 8461 and reusable in any async stack.
Re-exports§
pub use cache::Cache;pub use cache::CachedPolicy;pub use cache::InMemoryCache;pub use enforce::enforce;pub use enforce::mx_matches;pub use enforce::policy_url;pub use enforce::Decision;pub use error::MtaStsError;pub use policy::Policy;pub use policy::PolicyMode;pub use record::StsRecord;
Modules§
- cache
- Policy cache trait + in-memory reference implementation.
- enforce
- Enforcement helpers: MX pattern matching + the
enforce(policy, mx)decision function. - error
- Error type for MTA-STS parsers and decisions.
- policy
- MTA-STS policy file parser (RFC 8461 §3.2).
- record
- MTA-STS TXT record parser (RFC 8461 §3.1).