Hi Zimbra Customers, Partners & Friends,
Do you want to prevent man-in-the-middle attacks and enhance your email confidentiality? You can with MTA-STS.
MTA-STS is short for Mail Transfer Agent (MTA) Strict Transport Security (STS). MTA-STS enforces encryption and secure communications between SMTP servers via TLS (Transport Layer Security). With MTA-STS fully implemented, it prevents man-in-the-middle attackers from viewing and manipulating in-transit emails.
How does MTA-STS work?
Let’s assume you’re a hosting provider receiving email on the zimbra.com domain. To implement MTA-STS, you would publish a DNS record and a policy file served via a web server.
All sending SMTP servers with MTA-STS check for the DNS record and policy file. Based on the policy, the sending mail server only transmits email over a secured/encrypted connection. If that’s not available, the send is aborted, and the sender receives an error message.
Without MTA-STS, SMTP servers fall-back to unencrypted communication when an encrypted connection isn’t available.
Why do you need it?
Zimbra enables TLS on the MTA by default, but there are reasons why TLS can’t be used for incoming mail. For example, sometimes the TLS certificate is self-signed or a different DNS name is used for the MX server. Because MTAs fall-back to unencrypted communication, these misconfigurations can go unnoticed for a long time. If you use MTA-STS, you will know absolutely if TLS is enabled and working for your senders.
Please note: You won’t need to change Postfix because it understands how to `decrypt` emails, so there’s no visible change for your users.
How to configure it?
The MTA-STS needs to point to a web server, in this case it is a CNAME. You also need to have:
- At least 3 DNS records
- `_mta-sts`, defines your MTA-STS version
- `_smtp._tls`, enables reporting
Example for bind:
mta-sts CNAME example.com.
_mta-sts IN TXT "v=STSv1; id=1625134673"
_smtp._tls IN TXT "v=TLSRPTv1; rua=mailto:postmaster@example.com"
Configure your web server to serve out the policy file, so that you can find it via the url like this: https://mta-sts.example.com/.well-known/mta-sts.txt and the contents of the file:
version: STSv1
mode: enforce
mx: mail2.example.com
mx: mail2.example.nl
max_age: 86400
Mode can be `none`, `testing` or `enforce`. Start by putting it on `testing`, and monitor the postmaster@example.com account for reports. You'll soon receive reports from the largest email providers in the world. Check the reports for errors.
Please note that the TLS certificate for your mail servers must match the domain name, AND the web server used for serving out the policy file must be on the same domain. You cannot serve out your policy file from randomdomain.org even if that has a correct TLS certificate. You can use wildcard certificates.
Example report
Here is an example MTA-STS report.
As you can see, there is a zipped JSON file attachment. The contents are something like this:
{"organization-name":"Sending Org Inc.","date-range":{"start-datetime":"2021-07-09T00:00:00Z","end-datetime":"2021-07-09T23:59:59Z"},"contact-info":"smtp-tls-reporting@google.com","report-id":"2021-07-09T00:00:00Z_example.nl","policies":[{"policy":{"policy-type":"sts","policy-string":["version: STSv1","mode: enforce","mx: mail2.example.tk","mx: mail2.example.nl","max_age: 86400"],"policy-domain":"example.nl"},"summary":{"total-successful-session-count":3,"total-failure-session-count":0}}]}
If you can't read JSON, you can copy-paste it to https://jsonformatter.org/json-pretty-print
Next steps
By publishing the policy, your incoming email will be encrypted. However, only large email providers support this. It's not enforced by default in Postfix or by most small email providers. So there is still a long road ahead. But consider publishing an MTA-STS policy that can eventually be used by everyone. Over time, Zimbra MTA (Postfix) can be configured to enforce MTA-STS for outgoing email as well.
Further reading:
- https://www.digitalocean.com/community/tutorials/how-to-configure-mta-sts-and-tls-reporting-for-your-domain-using-apache-on-ubuntu-18-04
- https://esmtp.email/tools/mta-sts/
Thanks,
Your Zimbra Team
Is this change affecting normal webmail or iOS Mail access? As of this morning, now receiving “An unknown error has occurred” messages while trying to access mail.
MTA-STS is configured outside of Zimbra in DNS and on a separate webserver. The error you are seeing is not related to MTA-STS or this blog post.
Thanks for your valuable information. Email confidentiality is must for business.