What is MTA-STS? Setup the Right MTA STS Policy
A widely known internet standard that facilitates improving the security of connections between SMTP (Simple Mail Transfer Protocol) servers is the SMTP Mail Transfer Agent-Strict Transport Security (MTA-STS). MTA-STS resolves existing problems in SMTP email security by enforcing TLS encryption in transit.
The History and Origin of MTA-STS
In the year 1982, SMTP was first specified and it did not contain any mechanism for providing security at the transport level to secure communications between the mail transfer agents. However, in 1999, the STARTTLS command was added to SMTP that in turn supported the encryption of emails between the servers, providing the ability to convert a non-secure connection into a secure one that is encrypted using TLS protocol.
In that case, you must be wondering if SMTP adopted STARTTLS to secure connections between servers, why was the shift to MTA-STS required, and what it even did. Let’s jump into that in the following sections of this blog!
What is MTA-STS? (Mail Transfer Agent Strict Transport Security – Explained)
MTA-STS is a security standard that ensures the secure transmission of emails over an encrypted SMTP connection. The acronym MTA stands for Message Transfer Agent, which is a program that transfers email messages between computers. The acronym STS stands for Strict Transport Security, which is the protocol used to implement the standard. An MTA-STS-aware mail transfer agent (MTA) or secure message transfer agent (SMTA) operates in accordance with this specification and provides a secure end-to-end channel for sending email over unsecured networks.
The MTA-STS protocol allows an SMTP client to verify server identity and ensure that it is not connecting to an impostor by requiring the server to provide its certificate fingerprint in the TLS handshake. The client then verifies the certificate against a trust store containing certificates of known servers.
Introduction of MTA-STS Email Security
MTA-STS was introduced to bridge the gap in security during SMTP communications. As a security standard, MTA-STS ensures the secure transmission of emails over an encrypted SMTP connection.
The acronym MTA stands for Message Transfer Agent, which is a program that transfers email messages between computers. The acronym STS stands for Strict Transport Security, which is the protocol used to implement the standard. An MTA-STS-aware mail transfer agent (MTA) or secure message transfer agent (SMTA) operates in accordance with this specification and provides a secure end-to-end channel for sending email over unsecured networks.
The MTA-STS protocol allows an SMTP client to verify server identity and ensure that it is not connecting to an impostor by requiring the server to provide its certificate fingerprint in the TLS handshake. The client then verifies the certificate against a trust store containing certificates of known servers.
The Need for Shifting to Enforced TLS Encryption
STARTTLS was not perfect, and it failed to address two major problems: the first being that it is an optional measure, hence STARTTLS fails to prevent man-in-the-middle (MITM) attacks. This is because an MITM attacker can easily modify a connection and prevent the encryption update from taking place. The second problem with it is that even if STARTTLS is implemented, there is no way to authenticate the identity of the sending server as SMTP mail servers do not validate certificates.
While most outgoing emails today are secured with Transport Layer Security (TLS) encryption, an industry standard adopted even by consumer email, attackers can still obstruct and tamper with your email even before it gets encrypted. If you email to transport your emails over a secure connection, your data could be compromised or even modified and tampered with by a cyber attacker.
Here is where MTA-STS steps in and fixes this issue, guaranteeing safe transit for your emails as well as successfully mitigating MITM attacks. Furthermore, MTAs store MTA-STS policy files, making it more difficult for attackers to launch a DNS spoofing attack.
How Does MTA-STS Work?
MTA-STS protocol is deployed by having a DNS record that specifies that a mail server can fetch a policy file from a specific subdomain. This policy file is fetched via HTTPS and authenticated with certificates, along with the list of names of the recipient’s mail servers. Implementing MTA-STS is easier on the recipient’s side in comparison to the sending side as it requires to be supported by the mail server software. While some mail servers support MTA-STS, such as PostFix, not all do.
Major mail service providers such as Microsoft, Oath, and Google support MTA-STS. Google’s Gmail has already adopted MTA-STS policies in recent times. MTA-STS has removed the drawbacks in email connection security by making the process of securing connections easy and accessible for supported mail servers.
Connections from the users to the mail servers are usually protected and encrypted with TLS protocol, however, despite that there was an existing lack of security in the connections between mail servers before the implementation of MTA-STS. With a rise in awareness about email security in recent times and support from major mail providers worldwide, the majority of server connections are expected to be encrypted in the near future. Moreover, MTA-STS effectively ensures that cybercriminals on the networks are unable to read email content.
Steps to Set Up MTA-STS for Your Domain
In order to set up MTA-STS for your domain you can follow the steps shown below:
- Check if your domain has existing MTA-STS configurations. If you are using Google Workspace for your emails you can do so easily with the help of this guide.
- Create and publish an MTA-STS policy, configured separately for each domain. The MTA-STS policy file defines MTA-STS-enabled email servers used by that domain.
- Upon creating your policy file, you must upload this file to a public web server which can be easily accessed by remote servers
- Finally, create and publish your MTA-STS DNS record (“_mta-sts” TXT record) to instruct receiving servers that your emails must be TLS-encrypted to be considered authentic, and should only be allowed access to your receiver’s inbox if the former is true
Once you have an active policy file, external mail servers will not allow access to email without a secure connection.
3 MTA-STS Policy Modes: None, Testing and Enforce
The three available values for MTA-STS policy modes are as follows:
- None: This policy nullifies your MTA-STS configuration as external servers will consider the protocol inactive for the domain
- Testing: While on this policy, emails transferred over an unencrypted connection will not be rejected, instead, with TLS-RPT enabled you will continue to receive TLS reports on the delivery path and email behavior
- Enforce: Finally, when on enforce policy emails transferred over an unencrypted SMTP connection will be rejected by your server.
MTA-STS offers protection against :
- Downgrade attacks
- Man-In-The-Middle attacks (MITM)
- It solves multiple SMTP security problems, including expired TLS certificates and a lack of support for secure protocols.
Easy MTA-STS Deployment with PowerDMARC
MTA-STS requires an HTTPS-enabled web server with a valid certificate, DNS records, and constant maintenance. PowerDMARC’s DMARC analyzer tool makes your life a whole lot easier by handling all of that for you, completely in the background. Once we help you set it up, you never even have to think about it again.
With the help of PowerDMARC, you can deploy Hosted MTA-STS at your organization without the hassle of handling your public certificates. We help you:
- Make one-click policy updates and optimizations to your record without having to access your DNS settings.
- Verify your policy version and certificate validation
- Detect MTA-STS policy application failures
- Host your MTA-STS policy text file
- Detect connection failures, connection successes, and connection issues faster with simplified reports
Sign up today to quickly enforce emails to be sent to your domain over a TLS-encrypted connection, and make your connection secure against MITM and other cyber attacks.
- What Is DMARC Policy? None, Quarantine And Reject - September 15, 2024
- Fix SPF Permerror: Overcome SPF Too Many DNS Lookups Limit - April 26, 2024
- How to Publish a DMARC Record in 3 Steps? - April 2, 2024