TLS

TLS reporting is the mechanism by which an MTA publishes outcomes of certificate validation during outbound message delivery. Recipients of TLS reports learn whether certificates were valid, expired, or revoked, which helps identify security issues and misconfigurations in the sending MTA.

Configuration

Stalwart automatically analyses TLS reports received from external hosts and can also generate aggregate reports to inform other hosts about the results of TLS validation. Outgoing TLS aggregate reports are configured on the TlsReportSettings singleton (found in the WebUI under Settings › MTA › Reports › TLS):

• fromName: expression returning the name used in the From header of the report. Default 'Report Subsystem'.
• fromAddress: expression returning the email address used in the From header. Default 'noreply-tls@' + system('domain').
• subject: expression returning the report subject. Default 'TLS Aggregate Report'.
• orgName: expression returning the organisation name included in the report. Default system('domain').
• contactInfo: optional expression returning contact information for the reporting organisation.
• sendFrequency: expression returning the frequency at which aggregate reports are sent. Supported values are hourly, daily, weekly, and never. Default daily.
• maxReportSize: expression returning the maximum report size in bytes. Default 5242880 (5 MB).
• dkimSignDomain: expression returning the domain whose DKIM signatures sign the outgoing report. Default system('domain').

Example:

{
  "fromName": {"else": "'TLS Report'"},
  "fromAddress": {"else": "'[email protected]'"},
  "subject": {"else": "'TLS Aggregate Report'"},
  "orgName": {"else": "'The Foobar Organization'"},
  "contactInfo": {"else": "'[email protected]'"},
  "sendFrequency": {"else": "daily"},
  "maxReportSize": {"else": "26214400"},
  "dkimSignDomain": {"else": "'example.org'"}
}

The submitter address for TLS reports is configured on the ReportSettings singleton via outboundReportSubmitter.