Mail Transfer Agent-Strict Transport Security (MTA-STS) is a mechanism that enforces transport-level encryption when corresponding with other servers SMTP servers on the Internet. Using the steps below, you can configure your domain for MTA-STS.
Email communication becomes more secure when MTA-STS is supported by your domain. The sender's email server will only send messages to your server if:
In a nutshell, you need the following in order to publish MTA-STS for you domain:
_mta-sts.yourdomain.com. This record tells other servers your domain supports MTA-STS.
_smtp._tls.yourdomain.com. This record is optional but is important if you want to receive reports from other servers on the Internet.
In addition to enforcing encryption, MTA-STS provides a mechanism to report any TLS related problems to your server. Other servers on the Internet, such Gmail or Hotmail will send reports to your server with information about encryption. These reports will contain errors if they are unable to use encryption when sending email to your domain.
Reports generated by other servers are sent to the email address you define in
_smtp._tls.yourdomain.com TXT record. For example:
In this case, emails will be sent to
firstname.lastname@example.org. Xeams will automatically accept messages
sent to this address, parse the attached JSON file containing the report's payload, summarize data from multiple reports
and display them on the web interface.
There are two ways to configure MTA-STS:
Xeams offer several benefits when publishing MTA-STS:
mta-sts.yourdomain.com, provided Let's Encrypt is being used.
email@example.com and display them in the web console.
Q: Can I use Xeams to publish MTA-STS policy without using a certificate from Let's Encrypt?
A: Yes. However, you will either have to use a wildcard or a multi-domain certificate.
Q: Do I have to integrate my DNS server with Xeams?
A: No. You can always modify entries in the DNS server manually. The DNS integration feature adds convenience but is not required.
The following steps make the following assumptions:
mta-sts.txt and place the following content:
version: STSv1 mode: enforce mx: mail.example.com max_age: 86400
Considering disabling MTA-STS in Xeams when it is not the last SMTP server in your email flow for outbound message. Take the following scenario as an example:
GMail uses enforce for their MTA-STS policy. Therefore, Xeams will enforce encryption when trying to communicate with GMail's servers. It will also expect an SSL certificate from Google but instead will find a certificate used in your smart host. As a result, delivery to any GMail address will fail.
mta-sts.txt is not published, even after completing the steps.
There are two requirements to ensure
mta-sts.txt is published:
Xeams will not be able find a TXT record is when you configure a DNS server running inside your LAN, is authoritative for your domain, but does not have all the records. It is always recommended to configure a DNS server that is running on the Internet, not on your local LAN.
To confirm DNS lookups yields correct IP, click Tools on the main menu. Then perform a DNS lookup on
mta-sts.yourdomain.com. The first one should return a TXT record
and the second one either an IP or host name.
https://mta-sts.yourdomain.com/.well-known/mta-sts.txt must exist.
Often when trying to resolve
mta-sts.yourdomain.com yields your public IP. In other words, the browser will try going out of your network and
then come back to fetch the file. Many firewalls do not allow that. In such cases, you can either configure the firewall so a machine inside your LAN can
access hosts that also inside or
add mta-sts.yourdomain.com in your local host file with an IP address of
127.0.0.1. This will skip DNS
lookup on the host name and the page will be served from the local machine.
Changes in a DNS server can take some time to take affect. Ensure the host name
mta-sts.yourdomain.com resolves correctly before applying
for a certificate.