Open shoulders opened 1 month ago
Adding automatic DNS records for MTA Strict Transport Security and TLS Reporting, for all incoming and outgoing postifx MTA emails, would protect users from network eavesdropping by ISPs and data collection organizations. Very nice to have. This feature would place Virtualmin ahead of Plesk and cPanel - neither of which have MTA-STS and TLS Reporting (yet).
Interesting, I didn't know about this ... I'll look into adding support for MTA-STS.
As far as I know, it's not that simple to set up! The MTA-STS policy file must be accessible via HTTPS at a specific URL like:
https://mta-sts.yourdomain.com/.well-known/mta-sts.txt
This means you need to support DNS records for domains like mta-sts.
, have an LE SSL certificate set up, and configure Postfix with the smtp_tls_policy_maps
table.
That's a lot of work! Why not just provide an option in Virtualmin to enforce TLS connections using:
smtp_tls_security_level = enforce
and
smtpd_tls_security_level = enforce
smtp_tls_security_level
= Webmin --> Postfix Mail Server --> SMTP Client Options --> SMTP TLS client security level: DANE TLSsmtpd_tls_security_level
= Webmin --> Postfix Mail Server --> SMTP Authentication And Encryption --> Enable TLS encryption?:
encrypt - Mandatory TLS encryption: announce STARTTLS support to remote SMTP clients, and require that clients use TLS encryption. According to RFC 2487 this MUST NOT be applied in case of a publicly-referenced SMTP server. Instead, this option should be used only on dedicated servers.
My thoughts for solution on virtualmin (but not tested) for enabling MTA-STS
part
of the main domain certificateThis should prevent the need for setting up another virtual server requiring extra assets. I did not see anywhere that the SSL had to be separate to that of the domain you wish to add MTA-STS to.
Opportunistic TLS, i.e., smtp*_tls_security_level = may
, is compliant and we're already using it. When I hosted my own mail, I used enforce
and couldn't care less. It also helped prevent spam. While I understand that using encrypt
blindly isn't suitable for everyone, especially companies, it's much less of a headache and easier to support. MTA-STS, on the other hand, seems overly complex to support and will likely be treated as a niche feature..
It is niche at the moment, but maybe in the future it will be used more.
I did not know about it either until a couple of days ago when looking at forcing tls only email.
Here's some more reasons why it's a good idea to add, followed by a real world risk it protects against.
It's standard now since some time, because it publishes the mail server's settings to the internet, so all mail servers will know what to expect and what is likely an attack. This allows MTAs to verify email messages are coming from, and going to, the authorized mail server for the domain, and to reject email that is coming from unauthorized spoofed servers.
Microsoft, Yahoo, Google, Proton mail, all the major email services, are enforcing the MTA-STS policies set by domains sending mail to them and receiving mail from them.
MTA Strict Transport Security was introduced by email service providers as a solution to protect against downgrade and man-in-the-middle attacks in SMTP sessions, as well as solving the lack of security-first communication standards in email.
MTA-STS on its most basic level elevates the security of inbound email being sent to your domains by ensuring 1) only messages that are TLS encrypted are delivered and 2) those messages can only be delivered to those email servers published by the MTA-STS policy.
MTA-STS standardizes allowing domain owners to specify how mail servers should handle the encryption and authentication of their SMTP connections. MTA-STS can help prevent email spoofing, interception, and tampering by enforcing TLS encryption and certificate validation for your domains - by requiring authentication checks and good encryption for email in transit.
MTA-STS also increases email security by acting as a deterrent against pervasive monitoring of email traffic and protecting against man-in-the-middle attacks. You can make your email communications more secure by setting MTA-STS policies and ask the organizations with which you communicate to also set MTA-STS policies for their mail servers.
This solves real cyber security problems. For example: Scammers have already hacked into email, intercepted business invoices, changed the receiving bank account details in the invoice to details of a bank account under their control, and ended up in possession of the business funds, all because of how simple it is for them to use a network attack to downgrade the SMTP session to cleartext, how easy it is then to eavesdrop on the unencrypted email traffic, and lack of standard to control which named mail servers, verified by TLS certificates, and which encryption protocols, are authorized to send and receive mail for the domain.
It is a good request :)
TLS reporting could be added as a Pro feature if this is implemented.
The background
MTA-STS is an email technology that ensures that there is a secure/encrypted connection between both email servers.
the request
Can this be added to virtualmin?
additional
How Do I Set Up MTA-STS?
from: https://mxtoolbox.com/dmarc/details/mta-sts/what-is-mta-sts-record
Links