MTA-STS-DAEMON.YML(5) mta-sts-daemon.yml MTA-STS-DAEMON.YML(5)
NAME
mta-sts-daemon.yml - configuration file for mta-sts-daemon
DESCRIPTION
This configuration file configures the listening socket, caching
behaviour, and manipulation of MTA-STS mode.
SYNTAX
The file is in YAML syntax with the following elements:
host: (str) daemon bind address. Default: 127.0.0.1
port: (int) daemon bind port. Default: 8461
path: (str) daemon UNIX socket bind address (path). If specified, host
and port are ignored and UNIX socket is bound instead of TCP.
mode: (int) file mode for daemon UNIX socket. If not specified default
filemode is used. This option has effect only when UNIX socket is used.
If file mode specified in octal form (most common case), it has to be
prepended with leading zero. Example: 0666
reuse_port: (bool) allow multiple instances to share same port
(available on Unix, Windows). Default: true
cache_grace: (float) age of cache entries in seconds which do not
require policy refresh and update. Default: 60
shutdown_timeout: (float) time limit granted to existing client sessions
for finishing when server stops. Default: 20
cache
• type: (str: internal|sqlite|redis|redis_sentinel|postgres) cache
backend type. Default: internal
• options:
• Options for internal type:
• cache_size: (int) number of cache entries to store in
memory. Default: 10000
• Options for sqlite type:
• filename: (str) path to database file
• threads: (int) number of threads in pool for SQLite
connections. Default: number of CPUs
• timeout: (float) timeout in seconds for acquiring
connection from pool or DB lock. Default: 5
• Options for redis type:
• All parameters are passed to aioredis.from_url [0].
Check there for a parameter reference.
• Options for redis_sentinel type:
• sentinel_master_name: (str) name of the sentinel master
• sentinels: (list)(tuple) list of sentinels in form of
IP/FQDN and port
• All other parameters are passed to
aioredis.sentinel.Sentinel [1]. For additional details
check [2].
• Options for postgres type:
• dsn: (str) database connection string
proactive_policy_fetching
• enabled: (bool) enable proactive policy fetching in the
background. Default: false
• interval: (int) if proactive policy fetching is enabled, it is
scheduled every this many seconds. It is unaffected by
cache_grace and vice versa. Default: 86400
• concurrency_limit: (int) the maximum number of concurrent domain
updates. Default: 100
• grace_ratio: (float) proactive fetch for a particular domain is
skipped if its cached policy age is less than
interval/grace_ratio. Default: 2.0
default_zone
• strict_testing: (bool) enforce policy for testing domains.
Default: false
• timeout: (int) network operations timeout for resolver in that
zone. Default: 4
• require_sni: (bool) add option servername=hostname to policy
responses to make Postfix send SNI in TLS handshake as required
by RFC 8461. Requires Postfix version 3.4+. Default: true
• tlsrpt: (bool) include response attributes for TLSRPT support
(Postfix 3.10 and later). Default: false
zones
• ZONENAME:
• Same as options in default_zone
The timeout is used for the DNS and HTTP requests.
MTA-STS "testing" mode can be interpreted as "strict" mode. This may be
useful (though noncompliant) in the beginning of MTA-STS deployment,
when many domains operate under "testing" mode.
EXAMPLE
host: 127.0.0.1
port: 8461
reuse_port: true
shutdown_timeout: 20
proactive_policy_fetching:
enabled: true
interval: 86400
concurrency_limit: 100
grace_ratio: 2
cache:
type: internal
options:
cache_size: 10000
default_zone:
strict_testing: false
timeout: 4
zones:
myzone:
strict_testing: false
timeout: 4
SEE ALSO
mta-sts-daemon(1), mta-sts-query(1)
NOTES
0.
https://aioredis.readthedocs.io/en/latest/api/high-level/#aioredis.client.Redis.from_url
1.
https://aioredis.readthedocs.io/en/latest/getting-started/#redis-sentinel-client
2.
https://redis.readthedocs.io/en/stable/connections.html#sentinel-client
postfix-mta-sts-resolver 2025-03-10 MTA-STS-DAEMON.YML(5)
Generated by dwww version 1.16 on Tue Dec 16 06:32:44 CET 2025.