MTA-STS

SMTP Mail Transfer Agent Strict Transport Security (MTA-STS) is a mechanism enabling mail service providers to declare their ability to receive Transport Layer Security (TLS) secure SMTP connections, and to specify whether sending SMTP servers should refuse to deliver to MX hosts that do not offer TLS with a trusted server certificate.

MTA-STS does not require the use of DNSSEC to authenticate DANE TLSA records but relies on the certificate authority (CA) system and a trust-on-first-use (TOFU) approach to avoid interceptions.

The TOFU model allows a degree of security similar to that of HPKP, reducing the complexity but without the guarantees on first use offered by DNSSEC.

In addition, MTA-STS introduces a mechanism for failure reporting and a report-only mode, enabling progressive roll-out and auditing for compliance.

As of Oct 28, 2020 it is still a draft.

DNS Entries

TLSRPT DNS TXT

A number of protocols exist for establishing encrypted channels between SMTP Mail Transfer Agents, including STARTTLS, DANE TLSA and MTA-STS.

These protocols can fail due to misconfiguration or active attack, leading to undelivered messages or delivery over unencrypted or unauthenticated channels.

This DNS TXT entry informs any sending system to where it can send reports with statistics and specific information about potential failures with the recipient domain.

The recipient domain can then use this information to both detect potential attacks and diagnose unintentional misconfigurations.

_smtp._tls.example.net IN TXT v=TLSRPTv1; rua=mailto:postmaster@example.net.

Also add CNAME records for all other domains which use your mail servers as MX.

_smtp._tls.example.org IN CNAME _smtp._tls.example.net.
_smtp._tls.example.com IN CNAME _smtp._tls.example.net.

With PowerDNS we can use pdnsutil as root to do this:

pdnsutil add-record example.net _smtp._tls TXT "v=TLSRPTv1; rua=mailto:postmaster@example.net."
pdnsutil add-record example.org _smtp._tls CNAME _smtp._tls.example.net
pdnsutil add-record example.com _smtp._tls CNAME _smtp._tls.example.net

MTA-STS DNS TXT

The MTA-STS DNS TXT is used to declare that a policy is available to any mail server who is asking.

_mta-sts.example.net IN TXT v=STSv1; id=20160831085700Z

The “id” field serves as a reference for policy updates.

Also add CNAME records for all other domains which use your mail servers as MX.

_mta-sts.example.org IN CNAME _mta-sts.example.net.
_mta-sts.example.com IN CNAME _mta-sts.example.net.

With PowerDNS we can use pdnsutil as root to do this:

pdnsutil add-record example.net _mta-sts TXT "v=STSv1; id=$(date --utc +%Y%m%d%H%M%SZ)"
pdnsutil add-record example.org _smtp._tls CNAME _mta-sts.example.net
pdnsutil add-record example.com _smtp._tls CNAME _mta-sts.example.net

MTA-STS Subdomain

The MTA-STS subdomain will serve the policy via HTTPS. As any web service it needs a DNS entry.

mta-sts.example.net IN    A  192.0.2.40
mta-sts.example.net IN AAAA  2001:db8::40

Also add CNAME records for all other domains which use your mail servers as MX.

mta-sts.example.org IN CNAME mta-sts.example.net
mta-sts.example.com IN CNAME mta-sts.example.net

With PowerDNS we can use pdnsutil as root to do this:

pdnsutil add-record example.net mta-sts A 192.0.2.40
pdnsutil add-record example.net mta-sts AAAA 2001:db8::40
pdnsutil add-record example.org mta-sts CNAME mta-sts.example.net
pdnsutil add-record example.com mta-sts CNAME mta-sts.example.net

Web Server

TLS Certificates

We use dehydrated to request additional certificates for the HTTPS policy server.

Add the following lines to /etc/dehydrated/domains.txt

...

MTP MTA Strict Transport Security (MTA-STS)
mta-sts.example.net mta-sts.example.org mta-sts.example.com

...

Nginx Virtual Host

Setup the virtual host in Nginx to deliver the policy over HTTPS.

Create a new virtual host /etc/nginx/sites-available/mta-sts.conf for Nginx:

mta-sts.example.net.conf
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
#
# mta-sts.example.net
#
# MTP MTA Strict Transport Security (MTA-STS)
# See https://datatracker.ietf.org/doc/draft-ietf-uta-mta-sts/
#

#
# Secured HTTP Site
#
server {

    # Please make sure the certificate contains all needed subjectAltNames
    server_name mta-sts.example.net
                mta-sts.example.org
                mta-sts.example.com
                mta-sts.*;

    # IPv6 public global address
    listen      [2001:db8::40]:443 ssl http2 deferred;

    # IPv4 private local address
    listen      192.0.2.40:443 ssl http2 deferred;

    # IPv4 private address (Port-forwarded from NAT firewall/router)
    listen      192.0.2.10:443 ssl http2;


    # TLS certificate (chained) and ECDSA private key
    ssl_certificate         /etc/dehydrated/ec_certs/mta-sts.example.net/fullchain.pem;
    ssl_certificate_key     /etc/dehydrated/ec_certs/mta-sts.example.net/privkey.pem;

    # TLS certificate of signing CA (to validate OCSP repsonse when stapling)
    ssl_trusted_certificate /etc/dehydrated/ec_certs/mta-sts.example.net/chain.pem;

    # ECDSA cert OCSP stapling repsonse file (pre-generated)
    ssl_stapling_file       /etc/dehydrated/ec_certs/mta-sts.example.net/ocsp.der;


    # Enable stapling of online certificate status protocol (OCSP) repsonse
    include                 /etc/nginx/ocsp-stapling.conf;

    # TLS session cache (type:name:size)
    ssl_session_cache       shared:mta-sts.example.net:10m;

    # TLS session ticket keys (rotated every 8 hours, for 24h max.)
    ssl_session_ticket_key  tls_session_keys/mta-sts.example.net.1.key;
    ssl_session_ticket_key  tls_session_keys/mta-sts.example.net.2.key;
    ssl_session_ticket_key  tls_session_keys/mta-sts.example.net.3.key;

    # Strict Transport Security (HSTS)
    include     hsts.conf;

    # Expect Certificate Transparancy with valid Signed Certificate Timestamps (SCTs)
    include     expect-ct.conf;

    # Enable stapling of online certificate status protocol (OCSP) repsonse
    include     ocsp-stapling.conf;

    # Content Security Policy (CSP)
    #include     csp/mta-sts.example.net.csp.conf;

    # Common Server Settings
    include     server-conf.d/*.conf;

    # Public Documents Root
    root        /var/www/example.net/mta-sts;


    location ^~ /.well-known/mta-sts.txt {
        try_files $uri @mta-sts;

    }

    location @mta-sts {
        add_header Content-Type text/plain;
        return 200 "version: STSv1
mode: enforce
max_age: 10368000
mx: mail.example.net
mx: *.example.net
mx: backupmx.example.net\n";
    }
}


#
# Unsecured HTTP Site
#
server {

    server_name mta-sts.example.net
                mta-sts.example.org
                mta-sts.example.com
                mta-sts.*;

    # IPv6 public global address
    listen      [2001:db8::40]:80 deferred;

    # IPv4 private local address
    listen      192.0.2.40:80 deferred;

    # IPv4 private address (Port-forwarded from NAT firewall/router)
    listen      192.0.2.10:80;

    # Redirect to secure server
    return      301 https://$host$request_uri;
}