Configuring MTA-STS in Xeams

Mail Transfer Agent-Strict Transport Security (MTA-STS) is a mechanism that enforces transport-level encryption when corresponding with other servers SMTP servers on the Internet. Using the steps below, you can configure your domain for MTA-STS.

Benefits of using MTA-STS

Email communication becomes more secure when MTA-STS is supported by your domain. The sender's email server will only send messages to your server if:

  • It finds a valid SSL certificate that is signed by a trusted authority and is not expired.
  • TLS 1.2 or higher is used

What happens when MTA-STS is not published?

Transport-level encryption becomes optional when MTA-STS is not used. Therefore, anyone with access to intermediate networks, such as an ISP, can not only view but could also modify the messages before they reach their final destination.

Requirements

In a nutshell, you need the following in order to publish MTA-STS for you domain:

  • A TXT record in your DNS server for _mta-sts.yourdomain.com. This record tells other servers your domain supports MTA-STS.
  • Another TXT record for _smtp._tls.yourdomain.com. This record is optional but is important if you want to receive reports from other servers on the Internet.
  • A text-based policy file that is served through a web server that meets the following requirements:
    • The URL must be https://mta-sts.yourdomain.com/.well-known/mta-sts.txt. For example, here are the policy files for Gmail and Synametrics.
    • The website must listen on HTTPS on port 443
    • It must use a trusted SSL certificate

TLS Reporting

In addition to enforcing encryption, MTA-STS provides a mechanism to report any TLS related problems to your server. Other servers on the Internet, such Gmail or Hotmail will send reports to your server with information about encryption. These reports will contain errors if they are unable to use encryption when sending email to your domain.

Reports generated by other servers are sent to the email address you define in your _smtp._tls.yourdomain.com TXT record. For example: 

v=TLSRPTv1; rua=mailto:tlsrpt@yourdomain.net

In this case, emails will be sent to tlsrpt@yourdomain.net. Xeams will automatically accept messages sent to this address, parse the attached JSON file containing the report's payload, summarize data from multiple reports and display them on the web interface.

Steps to Configure MTA-STS

There are two ways to configure MTA-STS:

  • Using Xeams (recommended)
  • Without Xeams
Publishing MTA-STS with Xeams

Xeams offer several benefits when publishing MTA-STS:

  • Takes care of publishing the policy file automatically. The URL of this file must be https://mta-sts.yourdomain.com/.well-known/mta-sts.txt.
  • Takes care of creating and pushing TXT records to your DNS server, provided DNS integration is enabled.
  • Takes care of creating SSL certificate for the host: mta-sts.yourdomain.com, provided Let's Encrypt is being used.
  • Processes incoming emails for TLS-Report sent to tlsrpt@yourdomain.net and display them in the web console.

Prerequisite

  • You must configure Xeams to listen on port 443 for HTTPS, which must be accessible over the Internet.

Configuration Steps

  • Log in as an administrator to Xeams web interface.
  • Click Reports/MTA-STS & TLS Reporting.
  • Select a desired domain
  • Follow instructions on the screen to complete processing. These instructions include 4 steps. Each step can be completed with simple mouse clicks, provided you're using an SSL certificate from Let's Encrypt and your DNS server is integrated.
Video

FAQ

Q: Can I use Xeams to publish MTA-STS policy without using a certificate from Let's Encrypt?
A: Yes. However, you will either have to use a wildcard or a multi-domain certificate.

Q: Do I have to integrate my DNS server with Xeams?
A: No. You can always modify entries in the DNS server manually. The DNS integration feature adds convenience but is not required.

Publishing MTA-STS without Xeams

The following steps make the following assumptions:

  • Your domain name is example.com.
  • The MX record for example.com points to mail.example.com.
  • You have already enabled SSL in Xeams, and the SMTP server is configured to use STARTTLS.

Steps

  • Create a new text file with the name mta-sts.txt and place the following content: 
    version: STSv1
mode: enforce
mx: mail.example.com
max_age: 86400
  • The value for mode can be "none", "testing", or "enforce". The value for max_age is specified in seconds. 86400 represents 1 day.
  • Upload mta-sts.txt to a web server with the following URL: 
    https://mta-sts.example.com/.well-known/mta-sts.txt
  • Next, create a DNS TXT record with the following values:
    • Host name: _mta-sts.example.com
    • Value: - v=STSv1; id=20230101T010101;
  • The value for id represents a timestamp and must be changed whenever mta-sts.txt is modified.

Rationale For Disabling MTA-STS

Considering disabling MTA-STS in Xeams when it is not the last SMTP server in your email flow for outbound message. Take the following scenario as an example:

GMail uses enforce for their MTA-STS policy. Therefore, Xeams will enforce encryption when trying to communicate with GMail's servers. It will also expect an SSL certificate from Google but instead will find a certificate used in your smart host. As a result, delivery to any GMail address will fail.

Troubleshooting Common Problems

Xeams complains mta-sts.txt is not published, even after completing the steps.

There are two requirements to ensure mta-sts.txt is published:

  1. TXT record for _mta-sts.yourdomain.com exists.

    Xeams will not be able find a TXT record is when you configure a DNS server running inside your LAN, is authoritative for your domain, but does not have all the records. It is always recommended to configure a DNS server that is running on the Internet, not on your local LAN.

    To confirm DNS lookups yields correct IP, click Tools on the main menu. Then perform a DNS lookup on _mta-sts.yourdomain.com and mta-sts.yourdomain.com. The first one should return a TXT record and the second one either an IP or host name.

  2. https://mta-sts.yourdomain.com/.well-known/mta-sts.txt must exist.

    Often when trying to resolve mta-sts.yourdomain.com yields your public IP. In other words, the browser will try going out of your network and then come back to fetch the file. Many firewalls do not allow that. In such cases, you can either configure the firewall so a machine inside your LAN can access hosts that also inside or add mta-sts.yourdomain.com in your local host file with an IP address of 127.0.0.1. This will skip DNS lookup on the host name and the page will be served from the local machine.

I run into an error trying to generate a certificate for Let's Encrypt after configuring MTA-STS

Changes in a DNS server can take some time to take affect. Ensure the host name mta-sts.yourdomain.com resolves correctly before applying for a certificate.