Mail Transfer Agent Strict Transport Security (MTA-STS)

Andres Bohren
Mail Transfer Agent Strict Transport Security (MTA-STS)

Hi All,

What is MTA-STS

Mail Transfer Agent Strict Transport Security (MTA-STS) makes sure that Emails are Transfered over a secured TLS Connection but has lower requirements than DNS based Authentification of Named Entities (DANE).

“Mail Transfer Agent Strict Transport Security (MTA-STS)” has been defined in 2018 in the following RFC

MTA-STS benefits:

  • Emails are transfered over a secure TLS connection
  • Must use TLS-Version 1.2 or higher
  • For the TLS Certificates they need to:
    • Certificate Subject needs to match the MX-Entry
    • They need to be signed and issued by a public trusthworthy CA
    • They need to be valid (valid from / valid until)

MTA-STS protects against:

  • Downgrade-Attacks to lower TLS Versions
  • Man-In-The-Middle (MITM) Attacks
  • Solves multiple SMTP-Security Issues, including expired TLS certificates and lack of support for secure protocols.

MTA-STS consists of:

Like DANE the Sender must support MTA-STS and query the MTA-STS TXT Record as well as get the MTA-STS Policy. If the Sender does not support MTA-STS it is still allowed to send Mails without TLS1.2 - as long as the Receiving Mailserver supports that.

MTS-STS DNS TXT Record

The MTA-STS DNS TXT Record basically tells a Sending Server that this Domain does support MTA-STS

The DNS Query is for a TXT Record in “_mta-sts.domain.tld”

_mta-sts.domain.tld IN TXT “v=STSv1; id=20231019145600Z;”

Example Record

v=STSv1; id=20231019145600Z;

$DNSQuery = "_mta-sts.icewolf.ch"
Resolve-DnsName -Name $DNSQuery -Type TXT | where {$_.Strings -match "v=STSv1"}

MTA-STS Policy

The MTA-STS Policy is a simple Text File that contains a Version, Mode, the MX Certificate Subjects and max Age for caching.

https://mta-sts.domain.tld/.well-known/mta-sts.txt

Mode:

  • “enforce”: In this mode, Sending MTAs MUST NOT deliver the message to hosts that fail MX matching or certificate validation or that do not support STARTTLS.

  • “testing”: In this mode, Sending MTAs that also implement the TLSRPT (TLS Reporting) specification [RFC8460] send a report indicating policy application failures (as long as TLSRPT is also implemented by the recipient domain); in any case, messages may be delivered as though there were no MTA-STS validation failure.

  • “none”: In this mode, Sending MTAs should treat the Policy Domain as though it does not have any active policy

The MTA-STS Policy for Exchange Online has been provided here

version: STSv1
mode: enforce
mx: *.mail.protection.outlook.com
max_age: 604800

To query the MTA-STS Policy you can use this PowerShell Code

$Result = Invoke-WebRequest -Uri "https://mta-sts.icewolf.ch/.well-known/mta-sts.txt"
$Result.Content

As you can see the Policy can contain mutliple MX Records

version: STSv1
mode: enforce
mx: *.mail.protection.outlook.com
mx: mail.icewolf.ch
max_age: 604800

SMTP TLS Reporting

TLS Reporting provides a way to report if the TLS connection could not be established.

The Reprorting can be eighter a Mailbox or a HTTP POST to an URL.

Example for RUA to Mailbox

_smtp._tls.icewolf.ch IN TXT “v=TLSRPTv1; rua=mailto:mailbox@domain.tld”

Examle for RUA to HTTP POST

_smtp._tls.example.com. IN TXT “v=TLSRPTv1; rua=https://reporting.domain.tld/v1/tlsrpt”

Example Record

v=TLSRPTv1; rua=mailto:mailbox@domain.tld

$DNSQuery= "_smtp._tls.icewolf.ch"
Resolve-DnsName -Name $DNSQuery -Type TXT | where {$_.Strings -match "v=TLSRPTv1"}

A TLSRPT Email looks quite similar to DMARC Reports. I has an *.gz Attachment that contains a JSON File

Here are two Examples of such JSON Files

Google:

Microsoft:

Exchange Online Report

In Exchange Online Admin Center there is a Outbound Message in Transit Security report

As you can see MTA-STS

Regards
Andres Bohren

Exchange Logo