add MTA-STS support

[shoulders]

SYSTEM INFORMATION
OS type and version	Ubuntu Linux 22.04.4
Webmin version	2.111
Usermin version	2.010
Virtualmin version	7.10.0
Theme version	21.10
Package updates	30 package updates are available

The background

MTA-STS is an email technology that ensures that there is a secure/encrypted connection between both email servers.

the request

Can this be added to virtualmin?

additional

How Do I Set Up MTA-STS?

• To implement MTA-STS for your domain(s), you must do the following:
  • Add an A or CNAME type DNS record at mta-sts.[domain] that points to the HTTPS enabled web server serving the MTA-STS policy file.
  • Add a TXT or CNAME type DNS record at _mta-sts.[domain] that indicates the use of MTA-STS, and update the ID value on policy change.
  • Set up an HTTPS enabled web server with a valid certificate for the domain at mta-sts.
  • (Optional/Recommended) Enable SMTP TLS reporting through TXT or CNAME record held at _smtp._tls.domain. Set the Mode to Testing.

from: https://mxtoolbox.com/dmarc/details/mta-sts/what-is-mta-sts-record

Links

• https://mxtoolbox.com/dmarc/details/mta-sts/what-is-mta-sts-record
• https://mxtoolbox.com/mta-sts.aspx - a free lookup tool
• https://www.gov.uk/government/publications/email-security-standards/using-the-mail-transfer-agent-strict-transport-security-mta-sts-protocol-in-your-organisation
• https://www.youtube.com/watch?v=3bzzLsQe-Sg - A webinar record for MTS-STS by Synametrics Technologies.
• https://www.youtube.com/watch?v=2c1D_YG_-0w - What is MTA-STS ? (2024)

[chris001]

Adding automatic DNS records for MTA Strict Transport Security and TLS Reporting, for all incoming and outgoing postifx MTA emails, would protect users from network eavesdropping by ISPs and data collection organizations. Very nice to have. This feature would place Virtualmin ahead of Plesk and cPanel - neither of which have MTA-STS and TLS Reporting (yet).

Increase email security with MTA-STS and TLS Reporting.

[jcameron]

Interesting, I didn't know about this ... I'll look into adding support for MTA-STS.

[iliajie]

As far as I know, it's not that simple to set up! The MTA-STS policy file must be accessible via HTTPS at a specific URL like:

https://mta-sts.yourdomain.com/.well-known/mta-sts.txt

This means you need to support DNS records for domains like mta-sts., have an LE SSL certificate set up, and configure Postfix with the smtp_tls_policy_maps table.

That's a lot of work! Why not just provide an option in Virtualmin to enforce TLS connections using:

smtp_tls_security_level = enforce

and

smtpd_tls_security_level = enforce

[shoulders]

• enforcing TLS connection is not RFC compliant, this is why MTA-STS was developed
• smtp_tls_security_level = Webmin --> Postfix Mail Server --> SMTP Client Options --> SMTP TLS client security level: DANE TLS
• smtpd_tls_security_level = Webmin --> Postfix Mail Server --> SMTP Authentication And Encryption --> Enable TLS encryption?:

  • encrypt - Mandatory TLS encryption: announce STARTTLS support to remote SMTP clients, and require that clients use TLS encryption. According to RFC 2487 this MUST NOT be applied in case of a publicly-referenced SMTP server. Instead, this option should be used only on dedicated servers.

My thoughts for solution on virtualmin (but not tested) for enabling MTA-STS

• create an alias for the domain, keep it hidden in the GUI but not DNS (obviously)
• deploy the text file into the .well-known directory of the domain
• create a LE SSL for the alias which could be part of the main domain certificate

This should prevent the need for setting up another virtual server requiring extra assets. I did not see anywhere that the SSL had to be separate to that of the domain you wish to add MTA-STS to.

[iliajie]

Opportunistic TLS, i.e., smtp*_tls_security_level = may, is compliant and we're already using it. When I hosted my own mail, I used enforce and couldn't care less. It also helped prevent spam. While I understand that using encrypt blindly isn't suitable for everyone, especially companies, it's much less of a headache and easier to support. MTA-STS, on the other hand, seems overly complex to support and will likely be treated as a niche feature..

[shoulders]

It is niche at the moment, but maybe in the future it will be used more.

I did not know about it either until a couple of days ago when looking at forcing tls only email.

[chris001]

Here's some more reasons why it's a good idea to add, followed by a real world risk it protects against.

It's standard now since some time, because it publishes the mail server's settings to the internet, so all mail servers will know what to expect and what is likely an attack. This allows MTAs to verify email messages are coming from, and going to, the authorized mail server for the domain, and to reject email that is coming from unauthorized spoofed servers.

Microsoft, Yahoo, Google, Proton mail, all the major email services, are enforcing the MTA-STS policies set by domains sending mail to them and receiving mail from them.

MTA Strict Transport Security was introduced by email service providers as a solution to protect against downgrade and man-in-the-middle attacks in SMTP sessions, as well as solving the lack of security-first communication standards in email.

MTA-STS on its most basic level elevates the security of inbound email being sent to your domains by ensuring 1) only messages that are TLS encrypted are delivered and 2) those messages can only be delivered to those email servers published by the MTA-STS policy.

MTA-STS standardizes allowing domain owners to specify how mail servers should handle the encryption and authentication of their SMTP connections. MTA-STS can help prevent email spoofing, interception, and tampering by enforcing TLS encryption and certificate validation for your domains - by requiring authentication checks and good encryption for email in transit.

MTA-STS also increases email security by acting as a deterrent against pervasive monitoring of email traffic and protecting against man-in-the-middle attacks. You can make your email communications more secure by setting MTA-STS policies and ask the organizations with which you communicate to also set MTA-STS policies for their mail servers.

This solves real cyber security problems. For example: Scammers have already hacked into email, intercepted business invoices, changed the receiving bank account details in the invoice to details of a bank account under their control, and ended up in possession of the business funds, all because of how simple it is for them to use a network attack to downgrade the SMTP session to cleartext, how easy it is then to eavesdrop on the unencrypted email traffic, and lack of standard to control which named mail servers, verified by TLS certificates, and which encryption protocols, are authorized to send and receive mail for the domain.

[Neustradamus]

It is a good request :)

[shoulders]

TLS reporting could be added as a Pro feature if this is implemented.