Rob's web

Home - Techniek - Computer - Servers - SMTP server - Setting up mta-sts

Setting up mta-sts

A newer 2018 RFC 8461 called "SMTP Mail Transfer Agent Strict Transport Security (MTA-STS)" aims to address the problem of active adversaries by defining a protocol for mail servers to declare their ability to use secure channels in specific files on the server and specific DNS TXT records. The relying party would regularly check existence of such record, and cache it for the amount of time specified in the record and never communicate over insecure channels until record expires. Note that MTA-STS records apply only to SMTP traffic between mail servers while communications between a user's client and the mail server are protected by Transport Layer Security with SMTP/MSA, IMAP, POP3, or HTTPS in combination with an organizational or technical policy. Essentially, MTA-STS is a means to extend such a policy to third parties.

In April 2019 Google Mail announced support for MTA-STS.

Prerequisites

1. Working mail-system
2. Working http server with public access
3. A wildcard TLS certificate for the domain.
4. ≥ TLSv1.2

Setting up an vhost

We need to create an mta-sts webserver for our mail-dmoain.

# cd /var/named/dynamic/example.com
# vi example.com
mta-sts                 CNAME   server1
# systemctl restart named
# nslookup mta-sts.example.com

# cd /srv/www/vhosts/
# mkdir -p mta-sts.example.com/httpsdocs/.well-known
# cd /etc/httpd/conf/vhosts
# cp vhosts.con mta-sts.example.com.conf
# vi mta-sts.example.com.conf		// Change the URL to mta-sts.<your-domain>
# httpd -t
# systemctl restart httpd
# httpd -S

Setting up mail-recipients

Add an alias for tls-report@example.com.

# cd
# mariadb -u root -p
MariaDB [(none)]> use mail;
MariaDB [mail]> insert into aliases (DomainId, Source, Destination) values (1, 'tls-report@example.com', 'johndoe@example.com');
MariaDB [mail]> quit
#

Creating a policy file

The policy file is a plain text file that contains key and value pairs. Each pair must be on its own line in the policy file, as in the example below. The file must be no larger than 64 KB in size.

Policy file name: The file name of the plain text file must be mta-sts.txt.

Store the file in the .well-known directory of the mta-sts server.

Policy file format: The version field must be on the first line of the policy. The other fields can be in any order. Here is an example of a policy file:

version: STSv1
mode: testing
mx: mail.solarmora.com
mx: *.solarmora.net
mx: backupmx.solarmora.com
max_age: 604800

Key	Value
version	Protocol version. Must be STSv1.
mode	Policy mode: testing: External servers send you reports about encryption and other issues that are detected when you connect to your domain. MTA-STS encryption and authentication requirements are not enforced. enforce: If the SMTP connection does not authenticate and encrypt, email servers set up for MTA-STS will not send messages to your domain. You will also receive reports from external servers about connection issues, just as in test mode. none: Tells external servers that your domain no longer supports MTA-STS. Use this value if you stop using MTA-STS. Learn more about removing MTA-STS (RFC 8461).
mx	MX record for the domain. The policy must have an entry of mx for each MX record added to the domain. Each entry containing mx must be on its own line in the policy file, as in the example. The email server name must be in standard Subject Alternative Name (SAN) format. The mx value must be in one of the formats in the following examples: Specify a single server in standard MX format: alt1.aspmx.solarmora.com Use a wildcard to specify servers that match a naming pattern. The wildcard replaces only the leftmost label, for example: *.solarmora.com Learn more about MX records and MX record values.
max_age	Maximum length of time in seconds that the policy is valid. The max_age is reset for a remote server each time the policy is checked by that server. Therefore, remote servers can have different expiration dates for the same policy. The value should be between 86400 (1 day) and 31557600 (approximately 1 year). For test mode, we recommend setting a value between 604800 and 1209600 (1-2 weeks).

The file is find on https://mta-sts.example.com/.well-known/mta-sts.txt.

Adding records in the DNS servers

Adding the mta-sts record

To turn on MTA-STS for the domain, add a DNS record at _mta-sts:

_mta-sts TXT v=STSv1; id=20190425085700

id: Must be 1-32 alphanumeric characters. The ID signals to external servers that your domain supports MTA-STS.

Update the id to a new, unique value every time you change your MTA-STS policy. External servers use the updated id value to determine when your policy changed. We recommend using the current date and time for the id value so you know when your policy last changed.

Adding the TLS-reporting record

To turn on TLS reporting, add a DNS record at _smtp._tls:

_smtp._tls TXT v=TLSRPTv1; rua=mailto:tls-report@example.com

rua: The email address you created to get reports. To get reports at multiple emails, separate the email addresses with commas: v=TLSRPTv1; rua=mailto:tlsrpt@solarmora.com,mailto:mta-sts@solarmora.com

Links

• Increase email security with MTA-STS and TLS reporting