, , , , ,

How to Secure Inbound Emails with MTA-STS: Protect Your Mail Server from Man-in-the-Middle Attacks

by

Warren Sherwen

Emails traveling across the internet typically use secure connections, known as Transport Layer Security (TLS). However, vulnerabilities still exist with this transport protection, leaving the door open for man-in-the-middle attacks. These attacks can potentially redirect incoming connections to an unauthorized mail server.

To address this vulnerability, you can use MTA-STS (Mail Transfer Agent Strict Transport Security). MTA-STS helps:

  • Ensure that TLS encryption is always used for inbound emails, protecting them from being sent in plain text and intercepted.
  • Prevent malicious actors from diverting your inbound emails via man-in-the-middle attacks.
The primary consideration is that the sending mail provider must be able to support:
- TLS, ideally TLS 1.2 or higher
- Checks for MTA-STS records

Microsoft 365, Google Workspace, Mimecast & Proofpoint all support MTA-STS.

MTA-STS Records

So how does this work? MTA-STS works by mail servers checking for a TXT file stored on the recipient’s domain (your web hosting). The file is called mta-sts.txt and is always saved in the same location, for example:

https://mta-sts.thedailywaffle.co.uk/.well-known/mta-sts.txt

By publishing this record behind an SSL certificate, it prevents bad actors from using man-in-the-middle attacks to divert emails to a rogue DNS record. This ensures that either the email is delivered to the correct server or isn’t sent at all.

MTA-STS builds on the same SSL validation technology that secures web transactions, applying it to email delivery. Simply using TLS for inbound connections isn’t enough on its own. By combining it with MTA-STS, senders can be certain they’re reaching the correct server, while you, as the recipient, can be confident that your emails aren’t being misdirected.

Note that the domain must have a subdomain record of mta-sts.example.com, and the TXT file must be saved as mta-sts.txt within the .well-known directory.

Type: CNAME or A Record
Name: mta-sts
CNAME/A Record:DNS/IP of the server hosting your mta-sts record.

The URL must also be protected by a SSL certificate, otherwise it won’t be accepted by senders.

The mta-sts.txt file must always be formatted in the same way too:

version: STSv1
mode: enforce
mx: "You'r MX Entry"
mx: "Additional record per line if you have any"
max_age: 604800

When you first set up the TXT file, it’s recommended to set the mode to “testing.” This allows you to receive reports to your chosen location or provider, helping you ensure that the configuration is correct and preventing any potential inbound mail delivery issues.

A final DNS entry is also required, which is a TXT based DNS record, which must be:

Type: TXT
Name: _mta-sts.example.com
TXT Record:"v=STSv1; id=20241231080000"

The ID, is recommend under the RFC to be the Date and Time of the last edit to the mta-sts.txt file hosted on your web server.

TLS Reporting (TLS-RPT) and start monitoring

To ingest reports for successful or failed mail deliveries using TLS, you will also need to configure your domain’s DNS records as follows:

Type: TXT
Name: _smtp._tls
Record: "v=TLSRPTv1; rua=mailto:[email protected]"

The only aspect of this record that needs to be amended is the mailto address. You should set it to either a reporting service you’re using or a shared mailbox, so the reports for successes and failures can be ingested.

Recommend Services

I would recommend the following service for MTA-STS & DMARC ingestion:Real-time reporting for websites and email with DMARC, TLS-RPT, CSP, NEL, and more | URIports

For hosting your MTA-STS record, you can use Uri-Ports to manage and host the required TXT file. They handle all the heavy lifting for you and provide unique DNS records to add, making the process straightforward.

Microsoft Azure offers up to 10 free static websites with free SSL certificates and automated renewals. I highly recommend using Azure for hosting your MTA-STS files.

Alternatively, you can host the file using any web hosting service. However, if you’re using an IIS server, please see the details below for step-by-step instructions on how to configure your server to host the MTA-STS file.

Create a New IIS Web Site

  1. Open IIS Manager:
    • On your Windows server, open Internet Information Services (IIS) Manager.
  2. Add a New Site:
    • In the Connections pane, right-click on Sites and choose Add Website.
  3. Configure Site Settings:
    • Site Name: Enter mta-sts.example.com (or any name that makes sense for the site).
    • Physical Path: Choose a directory on your server where you will store the files (e.g., C:\inetpub\wwwroot\mta-sts).
    • Binding:
      • Type: Choose http for port 80, and https for port 443 (you’ll need an SSL certificate for HTTPS).
      • IP Address: Choose All Unassigned or a specific IP address.
      • Hostname: Enter mta-sts.example.com.
      • Port: Enter 80 for HTTP and 443 for HTTPS.
  4. Click OK to create the site.

Create the .well-known Directory

  1. Navigate to the Physical Path:
    • Open File Explorer and go to the directory where the site files are stored (e.g., C:\inetpub\wwwroot\mta-sts).
  2. Create .well-known Folder:
    • Inside the mta-sts folder, create a new folder named well-known (make sure to not include the dot at the beginning).
  3. Create mta-sts.txt File:
    • Inside the well-known folder, create a new text file named mta-sts.txt.
    • Add the required MTA-STS policy content to the file.
    • Save and close the file.
  4. Open IIS Manager: On your server, launch Internet Information Services (IIS) Manager.
  5. Select Your Site: In the left panel (Connections), expand the server node and click on your site (e.g., mta-sts.example.com).
  6. Add Virtual Directory:
  7. Right-click on your site and select Add Virtual Directory… from the context menu.
  8. Configure Alias and Physical Path:
  9. In the Alias field, enter .well-known.
  10. In the Physical Path field, browse to the folder where you will store the MTA-STS TXT file (e.g., C:\inetpub\wwwroot\mta-sts\.well-known).

Configure Bindings for Port 80 and 443

  1. HTTP Binding for Port 80:
    • In IIS Manager, select your new website (mta-sts.example.com).
    • In the Actions pane, click on Bindings.
    • Click Add to create a new binding.
    • Choose http for the Type, set Port to 80, and enter mta-sts.example.com for the Hostname.
    • Click OK.
  2. HTTPS Binding for Port 443:
    • In the Bindings window, click Add again.
    • Choose https for the Type, set Port to 443, and enter mta-sts.example.com for the Hostname.
    • SSL Certificate: If you don’t have a wildcard SSL certificate, you’ll need to create one. I recommend using win-acme, as it offers automation for this process as well.
    • Click OK.

Considerations

  • Ensure your inbound mail servers support TLS, ideally TLS 1.2 or higher.
    Mail senders that don’t use MTA-STS will prevent you from benefiting from the protection it offers for inbound emails.
  • A web host or MTA-STS hosting provider is required for hosting the necessary files.
  • If you change your MX entries, the MTA-STS file must also be updated. I recommend switching the mode from “enforce” to “testing” several weeks before the change, and then back to “enforce” once all updates have been made. *Mail flow can be impacted otherwise.

Leave a Reply

Categories

Tags

active App azuread Branding cyber essenitals Device Configuration Device Management Dishy DKIM DMARC DNS emailing entraid Exchange Exchange-Online Framework hard Hybrid Internet Intune Management matching Microsoft 365 notice notification Omada Package Packaging PowerShell Route Scripts Security Spoofing Spotify SSL Starlink Static Tooling Tools user

Discover more from The Daily Waffle

Subscribe now to keep reading and get access to the full archive.

Continue reading