MTA-STS (Mail Transfer Agent Strict Transport Security) and TLS-RPT (TLS Reporting)

Email Networking Security

Emails crossing the internet use secure connections encrypted using Transport Layer Security (TLS). However, there remain vulnerabilities in this method of protecting the confidentiality of emails, whereby a person-in-the-middle can trick incoming connections to send to another server and/or send information in the clear. MTA-STS is a standard designed to address these vulnerabilities and is set out in the internet standard IETF RFC 8461.

In layman’s terms the MTA-STS record is a record that you publish on your email domain that instructs all mail servers that are sending to your mail systems that they must do using TLS (1.2+) and that you won’t accept any email from mail systems sending without TLS AND where the TLS certificates are invalid or not present. The additional implication of this is you must have all your servers only accepting email from TLS (valid) sources AND that all those who send you email to your domain to do so with TLS enabled, if they try to send without TLS (i.e. plaintext) you won’t get their email.

The MTA-STS has three key parts:

  1. MTA-STS Policy Text File – The MTA-STS Policy file is hosted on a webserver, this contains the directives telling sending email servers what your receiving (inbound) Mail Servers are (i.e. what is on your MX records), what mode you are using i.e. if you are just “testing” allow plain or TLS or your are “enforce” i.e. enforcing the use of TLS only amongst some other settings. The URL (and subdomain) must be in the format: https://mta-sts.example.gov.uk/.well-known/mta-sts.txt so for example: https://mta-sts.mydomain.com/.well-known/mta-sts.txt for the mydomain.com domain.
  2. MTA-STS Discovery DNS Record – The MTA-STS has a discovery DNS record this informs send mail servers that they should look for the above txt policy file before attempting to send.
  3. MTA-STS Reporting DNS Record – The MTA-STS also has a reporting DNS record, this is required if you want to be able to monitor reports from sending email servers of if they are able to meet your TLS enforcement policy. Essentially like DMARC reporting this reports on TLS compliance so you can tell if there are email sources who send to you who are not compliant and therefore would not be able to send you email if you were to move to “enforce” policy settings.

A full guide can be found in the Additional Information section below.

Example MTS-STS Record Configuration

An example MTS-STS configuration is given for the mydomain.com domain, this assumes “enforce” policy, typically however you’d implement in “testing” posture and then change to “enforce” when you were confident that those who send you email are in compliance.

MTA-STS Policy Text File

The MTA-STS Policy Text File is hosted at: https://mta-sts.mydomain.com/.well-known/mta-sts.txt provided by a highly available web hosting service, although the record can be cached for a period of time by sending email servers it should be as highly available as possible to avoid impact due to sending servers attempting to send and not being able to reach the policy text file after the discovery DNS record instructs them to.

version: STSv1
mode: enforce
mx: mx1.mydomain.com
mx: mx2.mydomain.com
max_age: 1209600

MTA-STS Discovery DNS Record

Created as a TXT record within the particular domain, in this example mydomain.com, the example record would look like:

_mta-sts.mydomain.com   TXT     "v=STSv1; id=00000001"

The “id” should be incremented (changed) everytime the policy is changed to signal that a policy update has been made.

MTA-STS Reporting DNS Record

Create again as a TXT record within the particular domain, this example being mydomain.com, you must also have a suitable MTA-STS service that can receive these reports from sending email servers and process them for system administrators to review and use to make decisions around the changes to policy posture. In the example below the reports are being sent to NCSC Mail Check but any other suitable service could be specified with the suitable email address to collect the reports.

_smtp._tls.mydomain.com TXT     "v=TLSRPTv1;rua=mailto:tls-rua@mailcheck.service.ncsc.gov.uk"

Additional Information

Image Attribution

Leave a Reply

Your email address will not be published. Required fields are marked *