GSA security team request that all GSA domain names implement MTA-STS

[JJediny]

The GSA security team has requested that all GSA domain names implement MTA-STS, which involves publishing a policy that enforces the use of TLS for receiving email.

TTS System(s) need to publish an MTA-STS policy, which will list the valid domain names to expect on MX records and TLS certificates used by TTS System(s) mail servers. Email senders that comply with MTA-STS will load this policy and refuse to connect to mail servers that either do not support TLS encryption or fail to present one of the expected certificate names.

This is only applicable to domains hosted at least in part in a Google G Suite instance". It's a workaround specifically for 3DES being available on Google's mail servers, any other email sending domain which can exclude 3DES it wouldn't apply to.

GSA's MTA-STS Guidance

Domains security requested fixes for:

• [ ] login.gov https://github.com/18F/identity-devops/issues/1676
• [ ] connect.gov

  DNS TXT records:
  _mta-sts.connect.gov 60 min v=STSv1; id=7bfey8weo
  _smtp._tls.connect.gov 180 min v=TLSRPTv1;rua=mailto:tls.reports@gsa.gov
  DNS A record:
  mta-sts.connect.gov -> 159.142.191.107

• [ ] pif.gov

  DNS TXT records:
  _mta-sts.pif.gov 60 min v=STSv1; id=7bfey8weo
  _smtp._tls.pif.gov 180 min v=TLSRPTv1;rua=mailto:tls.reports@gsa.gov
  DNS A record:
  mta-sts.pif.gov -> 159.142.191.107

• [ ] plainlanguage.gov

  DNS TXT records:
  _mta-sts.plainlanguage.gov 60 min v=STSv1; id=7bfey8weo
  _smtp._tls.plainlanguage.gov 180 min v=TLSRPTv1;rua=mailto:tls.reports@gsa.gov
  DNS A record:
  mta-sts.plainlanguage.gov -> 159.142.191.107

[its-a-lisa-at-work]

Closing based on the decision made on 4/21/20 to close anything that wasn't a Major current Initiative or Notable mention from the Tech Portfolio Sprint Planning 2020-04-20 radiated intent in slack and open for discussion on reopening.