Prometheus exporter for TLSRPT reports
Find a file
s3lph 2b66cee5c4
Some checks failed
/ test (push) Successful in 1m17s
/ codestyle (push) Successful in 1m16s
/ build_wheel (push) Failing after 1m42s
/ build_debian (push) Successful in 2m49s
feat(ci): add twine --verbose flag for troubleshooting
2023-12-19 03:59:51 +01:00
.forgejo/workflows feat(ci): add twine --verbose flag for troubleshooting 2023-12-19 03:59:51 +01:00
package/debian/prometheus-tlsrpt-exporter fix: typo in debian package commandline 2023-12-18 00:30:53 +01:00
templates Initial commit 2023-07-23 20:19:37 +02:00
tlsrpt_exporter feat: release v0.1.2 2023-12-18 01:16:22 +01:00
.gitignore fix: ci 2023-07-24 01:04:54 +02:00
CHANGELOG.md feat: release v0.1.2 2023-12-18 01:16:22 +01:00
LICENSE Initial commit 2023-07-23 20:19:37 +02:00
README.md feat: release v0.1.2 2023-12-18 01:16:22 +01:00
requirements.txt Initial commit 2023-07-23 20:19:37 +02:00
setup.cfg Initial commit 2023-07-23 20:19:37 +02:00
setup.py feat: use forgejo package repo instead of minio 2023-07-25 03:29:51 +02:00

prometheus-tlsrpt-exporter

Prometheus exporter for MTA-STS TLS report metrics.

Description

When using MTA-STS to enforce TLS transport encryption for e-mail traffic, regular automated reports can be requested from supporting servers. These JSON-formatted TLSRPT reports contain information regarding the success rate of TLS connections.

This piece of software exposes an HTTP endpoint where such reports can be submitted, and a Prometheus metrics endpoint where aggregated statistics are exposed.

Endpoints

By default, this exporter binds to localhost:9123. It is intended to be used behind a TLS-terminating reverse proxy. There are the following endpoints:

  • /reports: This is where the TLSRPT reports are submitted to. This endpoint must be world-accessable, and the POST-method must be permitted.
  • /metrics: This is the Prometheus metrics endpoint. Access should be restricted to your prometheus server.
  • /ui: At this endpoint a (very simple) user interface is presented where the recently received reports can be viewed. Access should be restricted to your mail administrators.

Metrics

The following metrics are exposed, each labelled with the domain for which a report was received:

# TYPE tlsrpt_successful counter
# HELP tlsrpt_successful Number of successful sessions
# TYPE tlsrpt_failed counter
# HELP tlsrpt_failed Number of failed sessions
# TYPE tlsrpt_count counter
# HELP tlsrpt_count Number of reports

Setup

  1. Install the prometheus-tlsrpt-exporter.
  1. Set up a TLS-terminating reverse proxy that forwards e.g. https://mail.example.org/report to the /report endpoint.
  2. Publish a DNS record _smtp._tls.example.org. TXT "v=TLSRPTv1; rua=https://mail.example.org/report", where example.org is your mail domain.
  • The same TLSRPT endpoint can be used for multiple mail domains.