Prometheus exporter for TLSRPT reports
Find a file
s3lph 9061b54721
Some checks failed
/ test (push) Successful in 1m2s
/ codestyle (push) Successful in 1m1s
/ build_wheel (push) Failing after 1m53s
/ build_debian (push) Successful in 2m13s
fix: ci
2023-12-19 03:12:45 +01:00
.forgejo/workflows fix: ci 2023-12-19 03:12:45 +01:00
package/debian/prometheus-tlsrpt-exporter fix: typo in debian package commandline 2023-12-18 00:30:53 +01:00
templates Initial commit 2023-07-23 20:19:37 +02:00
tlsrpt_exporter feat: release v0.1.2 2023-12-18 01:16:22 +01:00
.gitignore fix: ci 2023-07-24 01:04:54 +02:00
CHANGELOG.md feat: release v0.1.2 2023-12-18 01:16:22 +01:00
LICENSE Initial commit 2023-07-23 20:19:37 +02:00
README.md feat: release v0.1.2 2023-12-18 01:16:22 +01:00
requirements.txt Initial commit 2023-07-23 20:19:37 +02:00
setup.cfg Initial commit 2023-07-23 20:19:37 +02:00
setup.py feat: use forgejo package repo instead of minio 2023-07-25 03:29:51 +02:00

prometheus-tlsrpt-exporter

Prometheus exporter for MTA-STS TLS report metrics.

Description

When using MTA-STS to enforce TLS transport encryption for e-mail traffic, regular automated reports can be requested from supporting servers. These JSON-formatted TLSRPT reports contain information regarding the success rate of TLS connections.

This piece of software exposes an HTTP endpoint where such reports can be submitted, and a Prometheus metrics endpoint where aggregated statistics are exposed.

Endpoints

By default, this exporter binds to localhost:9123. It is intended to be used behind a TLS-terminating reverse proxy. There are the following endpoints:

  • /reports: This is where the TLSRPT reports are submitted to. This endpoint must be world-accessable, and the POST-method must be permitted.
  • /metrics: This is the Prometheus metrics endpoint. Access should be restricted to your prometheus server.
  • /ui: At this endpoint a (very simple) user interface is presented where the recently received reports can be viewed. Access should be restricted to your mail administrators.

Metrics

The following metrics are exposed, each labelled with the domain for which a report was received:

# TYPE tlsrpt_successful counter
# HELP tlsrpt_successful Number of successful sessions
# TYPE tlsrpt_failed counter
# HELP tlsrpt_failed Number of failed sessions
# TYPE tlsrpt_count counter
# HELP tlsrpt_count Number of reports

Setup

  1. Install the prometheus-tlsrpt-exporter.
  1. Set up a TLS-terminating reverse proxy that forwards e.g. https://mail.example.org/report to the /report endpoint.
  2. Publish a DNS record _smtp._tls.example.org. TXT "v=TLSRPTv1; rua=https://mail.example.org/report", where example.org is your mail domain.
  • The same TLSRPT endpoint can be used for multiple mail domains.