Last active
May 31, 2024 06:56
-
-
Save Tugzrida/61235545dfc122262c69b0ab50265582 to your computer and use it in GitHub Desktop.
MTA-STS Cloudflare worker
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
// This worker is designed to be able to neatly handle MTA-STS policies for multiple domains. | |
// Make a new worker with this script and add your domains to the stsPolicies dict like the example. | |
// Add a DNS AAAA record for mta-sts.yourdomain.com pointing to 100:: and set to proxied, | |
// then add a workers route for mta-sts.yourdomain.com/* pointing to this worker. | |
// You should probably also create a Cloudflare configuration rule disabling Browser Integrity Check for the mta-sts subdomain | |
// to ensure MTAs aren't blocked from retrieving your policy. | |
// You'll still need to manually add the appropriate _mta-sts.yourdomain.com TXT record to enable the policy, | |
// and the _smtp._tls.yourdomain.com TXT record for reporting. | |
const stsPolicies = { | |
"yourdomain.com": | |
`version: STSv1 | |
mode: enforce | |
mx: mail.yourdomain.com | |
max_age: 86400` | |
} | |
const respHeaders = { | |
"Content-Type": "text/plain;charset=UTF-8", | |
"X-Clacks-Overhead": "GNU Terry Pratchett, Jon Postel, Alan Turing, Dan Kaminsky" | |
} | |
addEventListener("fetch", event => { | |
event.respondWith(handleRequest(event.request)) | |
}) | |
async function handleRequest(request) { | |
const reqUrl = new URL(request.url) | |
if (!reqUrl.hostname.startsWith("mta-sts.")) { | |
return new Response(`Incorrect worker route. mta-sts policies must be served on the mta-sts subdomain\n`, {status: 500, headers: respHeaders}) | |
} | |
const policyHost = reqUrl.hostname.slice(8) | |
if (!stsPolicies.hasOwnProperty(policyHost)) { | |
return new Response(`${policyHost} is not defined in the mta-sts worker\n`, {status: 500, headers: respHeaders}) | |
} | |
if (reqUrl.protocol !== "https:" || reqUrl.pathname !== "/.well-known/mta-sts.txt") { | |
reqUrl.protocol = "https:" | |
reqUrl.pathname = "/.well-known/mta-sts.txt" | |
return Response.redirect(reqUrl, 301) | |
} | |
return new Response(stsPolicies[policyHost] + "\n", {status: 200, headers: respHeaders}) | |
} |
@Tugzrida @W4JEW Its not my CF account I host my policy on AWS using CloudFront and S3, anyway back the subject I asked my friend for more details wasn't a managed challenge it was a block as suspected by @Tugzrida it was due to BIC Service: Browser integrity check Action taken:Block the user agent was libwww-perl/6.68 disabling Browser Integrity Check would fix it or just do what you did WAF Custom Rule and skip all of the security features.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Okie dokie - I will step away from the conversation... It's your post, anyway. Thanks so much for sharing the information in the first place! It was IMMENSELY helpful!