MTA-STS
SMTP Mail Transfer Agent Strict Transport Security (MTA-STS) is a mechanism enabling mail service providers to declare their ability to receive Transport Layer Security (TLS) secure SMTP connections, and to specify whether sending SMTP servers should refuse to deliver to MX hosts that do not offer TLS with a trusted server certificate.
MTA-STS does not require the use of DNSSEC to authenticate DANE TLSA records but relies on the certificate authority (CA) system and a trust-on-first-use (TOFU) approach to avoid interceptions.
The TOFU model allows a degree of security similar to that of HPKP, reducing the complexity but without the guarantees on first use offered by DNSSEC.
In addition, MTA-STS introduces a mechanism for failure reporting and a report-only mode, enabling progressive roll-out and auditing for compliance.
MTA-STS was is described in RFC 8461.
DNS Records
TLSRPT DNS TXT
A number of protocols exist for establishing encrypted channels between SMTP Mail Transfer Agents, including STARTTLS, DANE TLSA and MTA-STS.
These protocols can fail due to misconfiguration or active attack, leading to undelivered messages or delivery over unencrypted or unauthenticated channels.
This DNS TXT entry informs any sending system to where it can send reports with statistics and specific information about potential failures with the recipient domain.
The recipient domain can then use this information to both detect potential attacks and diagnose unintentional misconfigurations.
_smtp._tls.example.net IN TXT v=TLSRPTv1; rua=mailto:postmaster@example.net.
Also add CNAME records for all other domains which use your mail servers as MX.
_smtp._tls.example.org IN CNAME _smtp._tls.example.net.
_smtp._tls.example.com IN CNAME _smtp._tls.example.net.
With PowerDNS we can use pdnsutil
as root to do this:
pdnsutil add-record example.net _smtp._tls TXT "v=TLSRPTv1; rua=mailto:postmaster@example.net."
pdnsutil add-record example.org _smtp._tls CNAME _smtp._tls.example.net
pdnsutil add-record example.com _smtp._tls CNAME _smtp._tls.example.net
MTA-STS DNS TXT
The MTA-STS DNS TXT is used to declare that a policy is available to any mail server who is asking.
_mta-sts.example.net IN TXT v=STSv1; id=20160831085700Z
The “id” field serves as a reference for policy updates.
Also add CNAME records for all other domains which use your mail servers as MX.
_mta-sts.example.org IN CNAME _mta-sts.example.net.
_mta-sts.example.com IN CNAME _mta-sts.example.net.
With PowerDNS we can use pdnsutil
as root to do this:
pdnsutil add-record example.net _mta-sts TXT "v=STSv1; id=$(date --utc +%Y%m%d%H%M%SZ)"
pdnsutil add-record example.org _smtp._tls CNAME _mta-sts.example.net
pdnsutil add-record example.com _smtp._tls CNAME _mta-sts.example.net
MTA-STS Subdomain
The MTA-STS subdomain will serve the policy via HTTPS. As any web service it needs a DNS entry.
mta-sts.example.net IN A 192.0.2.40
mta-sts.example.net IN AAAA 2001:db8::40
Also add CNAME records for all other domains which use your mail servers as MX.
mta-sts.example.org IN CNAME mta-sts.example.net
mta-sts.example.com IN CNAME mta-sts.example.net
With PowerDNS we can use pdnsutil
as root to do this:
pdnsutil add-record example.net mta-sts A 192.0.2.40
pdnsutil add-record example.net mta-sts AAAA 2001:db8::40
pdnsutil add-record example.org mta-sts CNAME mta-sts.example.net
pdnsutil add-record example.com mta-sts CNAME mta-sts.example.net
Web Server
TLS Certificates
We use dehydrated to request additional certificates for the HTTPS policy server.
Add the following lines to /etc/dehydrated/domains.txt
...
MTP MTA Strict Transport Security (MTA-STS)
mta-sts.example.net mta-sts.example.org mta-sts.example.com
...
Nginx Virtual Host
Setup the virtual host in Nginx to deliver the policy over HTTPS.
Create a new virtual host /etc/nginx/sites-available/mta-sts.conf
for Nginx:
1#
2# mta-sts.example.net
3#
4# MTP MTA Strict Transport Security (MTA-STS)
5# See https://datatracker.ietf.org/doc/draft-ietf-uta-mta-sts/
6#
7
8#
9# Secured HTTP Site
10#
11server {
12
13 # Please make sure the certificate contains all needed subjectAltNames
14 server_name mta-sts.example.net
15 mta-sts.example.org
16 mta-sts.example.com
17 mta-sts.*;
18
19 # IPv6 public global address
20 listen [2001:db8::40]:443 ssl http2 deferred;
21
22 # IPv4 private local address
23 listen 192.0.2.40:443 ssl http2 deferred;
24
25 # IPv4 private address (Port-forwarded from NAT firewall/router)
26 listen 192.0.2.10:443 ssl http2;
27
28
29 # TLS certificate (chained) and ECDSA private key
30 ssl_certificate /etc/dehydrated/ec_certs/mta-sts.example.net/fullchain.pem;
31 ssl_certificate_key /etc/dehydrated/ec_certs/mta-sts.example.net/privkey.pem;
32
33 # TLS certificate of signing CA (to validate OCSP repsonse when stapling)
34 ssl_trusted_certificate /etc/dehydrated/ec_certs/mta-sts.example.net/chain.pem;
35
36 # ECDSA cert OCSP stapling repsonse file (pre-generated)
37 ssl_stapling_file /etc/dehydrated/ec_certs/mta-sts.example.net/ocsp.der;
38
39
40 # Enable stapling of online certificate status protocol (OCSP) repsonse
41 include /etc/nginx/ocsp-stapling.conf;
42
43 # TLS session cache (type:name:size)
44 ssl_session_cache shared:mta-sts.example.net:10m;
45
46 # TLS session ticket keys (rotated every 8 hours, for 24h max.)
47 ssl_session_ticket_key tls_session_keys/mta-sts.example.net.1.key;
48 ssl_session_ticket_key tls_session_keys/mta-sts.example.net.2.key;
49 ssl_session_ticket_key tls_session_keys/mta-sts.example.net.3.key;
50
51 # Strict Transport Security (HSTS)
52 include hsts.conf;
53
54 # Expect Certificate Transparancy with valid Signed Certificate Timestamps (SCTs)
55 include expect-ct.conf;
56
57 # Enable stapling of online certificate status protocol (OCSP) repsonse
58 include ocsp-stapling.conf;
59
60 # Content Security Policy (CSP)
61 #include csp/mta-sts.example.net.csp.conf;
62
63 # Common Server Settings
64 include server-conf.d/*.conf;
65
66 # Public Documents Root
67 root /var/www/example.net/mta-sts;
68
69
70 location ^~ /.well-known/mta-sts.txt {
71 try_files $uri @mta-sts;
72
73 }
74
75 location @mta-sts {
76 add_header Content-Type text/plain;
77 return 200 "version: STSv1
78mode: enforce
79max_age: 10368000
80mx: mail.example.net
81mx: *.example.net
82mx: backupmx.example.net\n";
83 }
84}
85
86
87#
88# Unsecured HTTP Site
89#
90server {
91
92 server_name mta-sts.example.net
93 mta-sts.example.org
94 mta-sts.example.com
95 mta-sts.*;
96
97 # IPv6 public global address
98 listen [2001:db8::40]:80 deferred;
99
100 # IPv4 private local address
101 listen 192.0.2.40:80 deferred;
102
103 # IPv4 private address (Port-forwarded from NAT firewall/router)
104 listen 192.0.2.10:80;
105
106 # Redirect to secure server
107 return 301 https://$host$request_uri;
108}
Postfix Server Integration
The postfix-mta-sts-resolver translates any published MTA-STS policy to a postfix TLS client policy.
Policies are cached in Redis and will be available on all our mail servers trough replication.
Installation
The Postfix MTA-STS Resolver is available in the Ubuntu software package repository:
$ sudo apt install postfix-mta-sts-resolver
After installation you will find the two programs /usr/bin/mta-sts-query
and /usr/bin/mta-sts-daemon
, a systemd service unit
/lib/systemd/system/postfix-mta-sts-resolver.service
a configuration
file /etc/mta-sts-daemon.yml
and a new system user and group called
“_mta-sts”.
Configuration
Configuration is stored in the file /etc/mta-sts-daemon.yml
:
1host: 127.0.0.1
2port: 8461
3reuse_port: true
4shutdown_timeout: 20
5cache:
6 type: redis
7 options:
8 address: "redis://127.0.0.1:6384/0?timeout=5"
9 db: 0
10 password: "ZlsQPlZAwMRpBgzEvwH2J7jsWkcpC7Xr"
11 minsize: 5
12 maxsize: 25
13default_zone:
14 strict_testing: false
15 timeout: 4
16zones:
17 myzone:
18 strict_testing: false
19 timeout: 4
Service Dependencies
Since we cache the TLS policies for Postfix in a Redis server, we want the Redis cache to be up and running, before the MTA-STS service starts. To make the postfix-mta-sts-resolver.service dependent on the redis-server@postfix-tls.service.
You can create a Systemd override file easily with the help of the systemctl command:
$ sudo systemctl edit postfix-mta-sts-resolver.service
This will start your editor with an empty file, where you can add your own custom Systemd service configuration options.
[Unit]
After=redis-server@postfix-tls.service
BindsTo=redis-server@postfix-tls.service
After you save and exit of the editor, the file will be saved as
/etc/systemd/system/postfix-mta-sts-resolver.service.d/override.conf
and Systemd will reload its configuration.
Postfix Configuration
In /etc/postfix/main.cf
:
smtp_tls_policy_maps =
socketmap:unix:/mta-sts/mta-sts.sock
Refrences
# -- mode: rst; indent-tabs-mode: nil; tab-width: 4; --