Emails crossing the Internet use secure connections encrypted using Transport Layer Security (TLS). However, there remains vulnerabilities in this method of protecting the confidentiality of emails, whereby a person-in-the-middle can trick incoming connections to send to another server and/or send information in the clear. SMTP MTA Strict Transport Security (MTA-STS) was developed to ensure that TLS is always used for connections between email servers. It also provides a way for sending servers to validate that the receiving server has a trusted certificate. If either TLS isn’t offered or the certificate isn’t valid, the sender refuses to deliver messages.
MTA-STS can be broken down into two scenarios: Inbound and Outbound Protection. Inbound protection covers the protection of domains hosted in Exchange Online with MTA-STS. Outbound protection covers the MTA-STS validations performed by Exchange Online when sending emails to MTA-STS protected domains.
Table of Contents
Setting up MTA-STS
Pre-requisites
- An Azure subscription
- Appropriate roles assigned to the account used for setting up the web app
- An appropriate App Service Plan
Implementation
- Log into Azure Portal (portal.azure.com)
- Search for App Services in the “Search resources, services, and docs” search bar
- Click on App Services
- Click Create and in the drop-down arrow next to the Create menu, select “Web App”.
- Populate the fields with the correct values for:
- Subscription
- Resource Group
- Instance Details > Name
- Publish
- Runtime stack
- Region
- Pricing plans
A sample page has been supplied below:
- Click “Review + Create”.
- Create your package.zip file with the following files:
- index.html
- styles.css
- A “.well-known” folder with the following file in it:
- mta-sts.txt
The mta-sts.txt file adheres to this syntax:
- Download and install the azure cli msi file from https://aka.ms/installazurecliwindowsx64
- Launch a PowerShell prompt and change directory to the location of the package.zip file. Then, type the following:
- az login
- az account –set subscription “Subscription Name”.
- az webapp deploy –resource-group “Resource Group Name” –name “Name of Web App created above” –src-path package.zip.
- Go back to the web app created in the Azure portal, and click on the Custom Domains (under the Settings tree)
- Create the appropriate DNS records as required by Domain Validation.
- Create an additional TXT record (_mta-sts.contoso.com. 3600 IN TXT v=STSv1; id=20220101000000Z;). This record declares support for MTA-STS.
- Click the Validate button.
- Navigate back to the Overview menu and click the web app link in the Default domain section.
- If you browse to the following directory: https://default domain/.well-known/mta-sts.txt, you should get the contents of the mta-sts.txt file as shown below:
- Using any publicly available MTA-STS checker you would be able to determine if you have set this up correctly.
Conclusion
As per the Microsoft article enhancing mail flow with MTA-STS there were two options listed for configuring MTA-STS. However, if you are not comfortable around Visual Studio Code, Git, and Azure Functions, then this guide should help you. MTA-STS can be set up and running in under 10 minutes. The policy mode in this guide was set to “testing.” To gain insight into domains affected by this policy, monitoring needs to be set up using TLS-RPT which tells email-sending services where to send automated reports about TLS connection failures. The recipients of the reports can then assess and fix any potential issues. TLS-RPT will provide more assurances to progress to MTA-STS policy of “enforce”.
