Through the Algorithms and Life

ISPMail on RHEL (Part Seven)

Francesco Piraneo Giuliano
MTA-STS picture

This will be a short part. We will talk about mta-sts.

MTA-STS stands for Mail Transfer Agent Strict Transport Security. It’s a standard designed to enhance the security of email communications by enforcing the use of encrypted connections (TLS) between email servers. MTA-STS allows remote email servers sending emails to our domain to verify the support for TLS and to check the validity of the certificate, thus “avoiding man-in-the-middle” attacks.

The policy must be published in two modes:

  • On the DNS — The DNS must publish one _mta-sts.domain.tld record;
  • On a webserver — On your webserver, at the address https://mta-sts.domain.tld/.well-known/mta-sts.txt, a text file containing the version, the enforcement policy, the MX hosts authorized to handle emails for your domain;
  • Reporting — Suggested, not required, allows remote mailserver to report misconfigurations or issues with the certificates.

DNS

On the DNS you should enter the following records:

mta-sts       300  IN A     <your web server IP here>.
_mta-sts      300  IN TXT   "v=STSv1; id=<version code>"
_smtp._tls    300  IN TXT   "v=TLSRPTv1; rua=mailto:<postmaster@domain.tld>"
  • mta-sts — The meaning of the first record should be straightforward;
  • _mta-sts — The version code should preferably be a timestamp in ISO format representing the policy’s validity. This information is used by remote servers to cache the policy;
  • _smtp._tls — Reporting email address.

mta-sts.txt

This file contains details about the policy; here below a sample of the file.

version: STSv1
mode: testing
mx: mail.domain.tld
max_age: 86400
  • version — Must be STSv1;
  • mode — Can be testing if you are testing your mta-sts configuration; once the configuration is stable and no error reports are received, you can change this value to enforce.
  • mx — List of mail exchange server(s) allowed to handle mails for your domain;
  • max_age — Maximum age of this policy in seconds; 86400 (one day) is a good starting value; 604800 (one week) can be a correct value when the policy is tested and you switch the mode parameter from testing to enforce. Don’t forget to update the policy version on the DNS!

Web server

To publish the mta-sts.txt file you are not required to set up nginx or Apache! A light web server like lighttpd can be an option.

However, if you plan to setup also Roundcube or other web services, Apache comes back into play.

So this is the suggested configuration for Apache.

<VirtualHost *:443>
        ServerName mta-sts.domain.tld
        DocumentRoot /var/www/mta-sts
        Header set Content-Type "text/plain"

        ErrorDocument 403 "403 Forbidden - This site is used to specify the MTA-STS policy for this domain, please see '/.well-known/mta-sts.txt'."

        SSLEngine on
        SSLCertificateFile /etc/letsencrypt/live/domain.tld/fullchain.pem
        SSLCertificateKeyFile /etc/letsencrypt/live/domain.tld/privkey.pem

        RewriteEngine On
        RewriteOptions IgnoreInherit
        RewriteRule !^/.well-known/mta-sts.txt - [L,R=403]
</VirtualHost>

Of course mta-sts.txt must be served with https. Adapt the above configuration as you like including logging and other features.

Finally, don’t forget to restart your webserver when done!

Leave a Reply

Your email address will not be published. Required fields are marked *