Prometheus exporter for TLSRPT reports
Go to file
s3lph cfe3b52e52
/ test (push) Successful in 1m1s Details
/ codestyle (push) Successful in 59s Details
/ build_wheel (push) Successful in 1m22s Details
/ build_debian (push) Successful in 2m37s Details
feat(ci): twine --verbose turned into default
2023-12-19 04:04:31 +01:00
.forgejo/workflows feat(ci): twine --verbose turned into default 2023-12-19 04:04:31 +01:00
package/debian/prometheus-tlsrpt-exporter fix: typo in debian package commandline 2023-12-18 00:30:53 +01:00
templates Initial commit 2023-07-23 20:19:37 +02:00
tlsrpt_exporter feat: release v0.1.2 2023-12-18 01:16:22 +01:00
.gitignore fix: ci 2023-07-24 01:04:54 +02:00
CHANGELOG.md feat: release v0.1.2 2023-12-18 01:16:22 +01:00
LICENSE Initial commit 2023-07-23 20:19:37 +02:00
README.md feat: release v0.1.2 2023-12-18 01:16:22 +01:00
requirements.txt Initial commit 2023-07-23 20:19:37 +02:00
setup.cfg Initial commit 2023-07-23 20:19:37 +02:00
setup.py feat: use forgejo package repo instead of minio 2023-07-25 03:29:51 +02:00

README.md

prometheus-tlsrpt-exporter

Prometheus exporter for MTA-STS TLS report metrics.

Description

When using MTA-STS to enforce TLS transport encryption for e-mail traffic, regular automated reports can be requested from supporting servers. These JSON-formatted TLSRPT reports contain information regarding the success rate of TLS connections.

This piece of software exposes an HTTP endpoint where such reports can be submitted, and a Prometheus metrics endpoint where aggregated statistics are exposed.

Endpoints

By default, this exporter binds to localhost:9123. It is intended to be used behind a TLS-terminating reverse proxy. There are the following endpoints:

  • /reports: This is where the TLSRPT reports are submitted to. This endpoint must be world-accessable, and the POST-method must be permitted.
  • /metrics: This is the Prometheus metrics endpoint. Access should be restricted to your prometheus server.
  • /ui: At this endpoint a (very simple) user interface is presented where the recently received reports can be viewed. Access should be restricted to your mail administrators.

Metrics

The following metrics are exposed, each labelled with the domain for which a report was received:

# TYPE tlsrpt_successful counter
# HELP tlsrpt_successful Number of successful sessions
# TYPE tlsrpt_failed counter
# HELP tlsrpt_failed Number of failed sessions
# TYPE tlsrpt_count counter
# HELP tlsrpt_count Number of reports

Setup

  1. Install the prometheus-tlsrpt-exporter.
  1. Set up a TLS-terminating reverse proxy that forwards e.g. https://mail.example.org/report to the /report endpoint.
  2. Publish a DNS record _smtp._tls.example.org. TXT "v=TLSRPTv1; rua=https://mail.example.org/report", where example.org is your mail domain.
  • The same TLSRPT endpoint can be used for multiple mail domains.