MTA-STS

SMTP Mail Transfer Agent Strict Transport Security (MTA-STS) is a mechanism enabling mail service providers to declare their ability to receive Transport Layer Security (TLS) secure SMTP connections, and to specify whether sending SMTP servers should refuse to deliver to MX hosts that do not offer TLS with a trusted server certificate.

MTA-STS does not require the use of DNSSEC to authenticate DANE TLSA records but relies on the certificate authority (CA) system and a trust-on-first-use (TOFU) approach to avoid interceptions.

The TOFU model allows a degree of security similar to that of HPKP, reducing the complexity but without the guarantees on first use offered by DNSSEC.

In addition, MTA-STS introduces a mechanism for failure reporting and a report-only mode, enabling progressive roll-out and auditing for compliance.

MTA-STS was is described in RFC 8461.

DNS Records

TLSRPT DNS TXT

A number of protocols exist for establishing encrypted channels between SMTP Mail Transfer Agents, including STARTTLS, DANE TLSA and MTA-STS.

These protocols can fail due to misconfiguration or active attack, leading to undelivered messages or delivery over unencrypted or unauthenticated channels.

This DNS TXT entry informs any sending system to where it can send reports with statistics and specific information about potential failures with the recipient domain.

The recipient domain can then use this information to both detect potential attacks and diagnose unintentional misconfigurations.

_smtp._tls.example.net IN TXT v=TLSRPTv1; rua=mailto:postmaster@example.net.

Also add CNAME records for all other domains which use your mail servers as MX.

_smtp._tls.example.org IN CNAME _smtp._tls.example.net.
_smtp._tls.example.com IN CNAME _smtp._tls.example.net.

With PowerDNS we can use pdnsutil as root to do this:

pdnsutil add-record example.net _smtp._tls TXT "v=TLSRPTv1; rua=mailto:postmaster@example.net."
pdnsutil add-record example.org _smtp._tls CNAME _smtp._tls.example.net
pdnsutil add-record example.com _smtp._tls CNAME _smtp._tls.example.net

MTA-STS DNS TXT

The MTA-STS DNS TXT is used to declare that a policy is available to any mail server who is asking.

_mta-sts.example.net IN TXT v=STSv1; id=20160831085700Z

The “id” field serves as a reference for policy updates.

Also add CNAME records for all other domains which use your mail servers as MX.

_mta-sts.example.org IN CNAME _mta-sts.example.net.
_mta-sts.example.com IN CNAME _mta-sts.example.net.

With PowerDNS we can use pdnsutil as root to do this:

pdnsutil add-record example.net _mta-sts TXT "v=STSv1; id=$(date --utc +%Y%m%d%H%M%SZ)"
pdnsutil add-record example.org _smtp._tls CNAME _mta-sts.example.net
pdnsutil add-record example.com _smtp._tls CNAME _mta-sts.example.net

MTA-STS Subdomain

The MTA-STS subdomain will serve the policy via HTTPS. As any web service it needs a DNS entry.

mta-sts.example.net IN    A  192.0.2.40
mta-sts.example.net IN AAAA  2001:db8::40

Also add CNAME records for all other domains which use your mail servers as MX.

mta-sts.example.org IN CNAME mta-sts.example.net
mta-sts.example.com IN CNAME mta-sts.example.net

With PowerDNS we can use pdnsutil as root to do this:

pdnsutil add-record example.net mta-sts A 192.0.2.40
pdnsutil add-record example.net mta-sts AAAA 2001:db8::40
pdnsutil add-record example.org mta-sts CNAME mta-sts.example.net
pdnsutil add-record example.com mta-sts CNAME mta-sts.example.net

Web Server

TLS Certificates

We use dehydrated to request additional certificates for the HTTPS policy server.

Add the following lines to /etc/dehydrated/domains.txt

...

MTP MTA Strict Transport Security (MTA-STS)
mta-sts.example.net mta-sts.example.org mta-sts.example.com

...

Nginx Virtual Host

Setup the virtual host in Nginx to deliver the policy over HTTPS.

Create a new virtual host /etc/nginx/sites-available/mta-sts.conf for Nginx:

mta-sts.example.net.conf
  1#
  2# mta-sts.example.net
  3#
  4# MTP MTA Strict Transport Security (MTA-STS)
  5# See https://datatracker.ietf.org/doc/draft-ietf-uta-mta-sts/
  6#
  7
  8#
  9# Secured HTTP Site
 10#
 11server {
 12
 13    # Please make sure the certificate contains all needed subjectAltNames
 14    server_name mta-sts.example.net
 15                mta-sts.example.org
 16                mta-sts.example.com
 17                mta-sts.*;
 18
 19    # IPv6 public global address
 20    listen      [2001:db8::40]:443 ssl http2 deferred;
 21
 22    # IPv4 private local address
 23    listen      192.0.2.40:443 ssl http2 deferred;
 24
 25    # IPv4 private address (Port-forwarded from NAT firewall/router)
 26    listen      192.0.2.10:443 ssl http2;
 27
 28
 29    # TLS certificate (chained) and ECDSA private key
 30    ssl_certificate         /etc/dehydrated/ec_certs/mta-sts.example.net/fullchain.pem;
 31    ssl_certificate_key     /etc/dehydrated/ec_certs/mta-sts.example.net/privkey.pem;
 32
 33    # TLS certificate of signing CA (to validate OCSP repsonse when stapling)
 34    ssl_trusted_certificate /etc/dehydrated/ec_certs/mta-sts.example.net/chain.pem;
 35
 36    # ECDSA cert OCSP stapling repsonse file (pre-generated)
 37    ssl_stapling_file       /etc/dehydrated/ec_certs/mta-sts.example.net/ocsp.der;
 38
 39
 40    # Enable stapling of online certificate status protocol (OCSP) repsonse
 41    include                 /etc/nginx/ocsp-stapling.conf;
 42
 43    # TLS session cache (type:name:size)
 44    ssl_session_cache       shared:mta-sts.example.net:10m;
 45
 46    # TLS session ticket keys (rotated every 8 hours, for 24h max.)
 47    ssl_session_ticket_key  tls_session_keys/mta-sts.example.net.1.key;
 48    ssl_session_ticket_key  tls_session_keys/mta-sts.example.net.2.key;
 49    ssl_session_ticket_key  tls_session_keys/mta-sts.example.net.3.key;
 50
 51    # Strict Transport Security (HSTS)
 52    include     hsts.conf;
 53
 54    # Expect Certificate Transparancy with valid Signed Certificate Timestamps (SCTs)
 55    include     expect-ct.conf;
 56
 57    # Enable stapling of online certificate status protocol (OCSP) repsonse
 58    include     ocsp-stapling.conf;
 59
 60    # Content Security Policy (CSP)
 61    #include     csp/mta-sts.example.net.csp.conf;
 62
 63    # Common Server Settings
 64    include     server-conf.d/*.conf;
 65
 66    # Public Documents Root
 67    root        /var/www/example.net/mta-sts;
 68
 69
 70    location ^~ /.well-known/mta-sts.txt {
 71        try_files $uri @mta-sts;
 72
 73    }
 74
 75    location @mta-sts {
 76        add_header Content-Type text/plain;
 77        return 200 "version: STSv1
 78mode: enforce
 79max_age: 10368000
 80mx: mail.example.net
 81mx: *.example.net
 82mx: backupmx.example.net\n";
 83    }
 84}
 85
 86
 87#
 88# Unsecured HTTP Site
 89#
 90server {
 91
 92    server_name mta-sts.example.net
 93                mta-sts.example.org
 94                mta-sts.example.com
 95                mta-sts.*;
 96
 97    # IPv6 public global address
 98    listen      [2001:db8::40]:80 deferred;
 99
100    # IPv4 private local address
101    listen      192.0.2.40:80 deferred;
102
103    # IPv4 private address (Port-forwarded from NAT firewall/router)
104    listen      192.0.2.10:80;
105
106    # Redirect to secure server
107    return      301 https://$host$request_uri;
108}

Postfix Server Integration

The postfix-mta-sts-resolver translates any published MTA-STS policy to a postfix TLS client policy.

Policies are cached in Redis and will be available on all our mail servers trough replication.

Installation

The Postfix MTA-STS Resolver is available in the Ubuntu software package repository:

$ sudo apt install postfix-mta-sts-resolver

After installation you will find the two programs /usr/bin/mta-sts-query and /usr/bin/mta-sts-daemon, a systemd service unit /lib/systemd/system/postfix-mta-sts-resolver.service a configuration file /etc/mta-sts-daemon.yml and a new system user and group called “_mta-sts”.

Configuration

Configuration is stored in the file /etc/mta-sts-daemon.yml:

mta-sts-daemon.yml
 1host: 127.0.0.1
 2port: 8461
 3reuse_port: true
 4shutdown_timeout: 20
 5cache:
 6    type: redis
 7    options:
 8        address: "redis://127.0.0.1:6384/0?timeout=5"
 9        db: 0
10        password: "ZlsQPlZAwMRpBgzEvwH2J7jsWkcpC7Xr"
11        minsize: 5
12        maxsize: 25
13default_zone:
14    strict_testing: false
15    timeout: 4
16zones:
17    myzone:
18        strict_testing: false
19        timeout: 4

Service Dependencies

Since we cache the TLS policies for Postfix in a Redis server, we want the Redis cache to be up and running, before the MTA-STS service starts. To make the postfix-mta-sts-resolver.service dependent on the redis-server@postfix-tls.service.

You can create a Systemd override file easily with the help of the systemctl command:

$ sudo systemctl edit postfix-mta-sts-resolver.service

This will start your editor with an empty file, where you can add your own custom Systemd service configuration options.

[Unit]
After=redis-server@postfix-tls.service
BindsTo=redis-server@postfix-tls.service

After you save and exit of the editor, the file will be saved as /etc/systemd/system/postfix-mta-sts-resolver.service.d/override.conf and Systemd will reload its configuration.

Postfix Configuration

In /etc/postfix/main.cf:

smtp_tls_policy_maps =
    socketmap:unix:/mta-sts/mta-sts.sock

Refrences

# -- mode: rst; indent-tabs-mode: nil; tab-width: 4; --