No Hair Github Pages
Setting up a mailserver on OpenBSD 6.9: TLSRPT and MTA-STS
N. Optional configuration: TLSRPT and MTA-STS
SPF, DKIM and DMARC are widely used but spam volume has, if anything, increased. In 2018, the IETF released RFC 8460 and RFC 8461, which respectively define TLSRPT and MTA-STS. These are not widely adopted yet but email providers' spam filters may use presence or absense of TLSRPT and MTA-STS as part of their spam scoring system. The disadvantage of enabling MTA-STS is that it restricts mail traffic to your mail server to that which comes in over TLS/SSL. Thus, you may not receive certaim messages if the odd remote relay does not use TLS/SSL. However, Google, Microsoft, Comcast, Protonmail, and amny other have adopted it.
1. TLSRPT
TLS reporting, or TLSRPT for short, is very simple: all it does is provide a contact email address in case somebody has trouble with the TLS configuration of your SMTP server.
To enable it for your custom email domain example.com, simply create a DNS TXT record for the _smtp._tls subdomain:
_smtp._tls.example.com. TXT "v=TLSRPTv1; rua=mailto:<contact>"without the angle braces, or,
_smtp._tls.example.com. TXT "v=TLSRPTv1; rua=mailto:postmaster@example.com"where <contact> is an email address of your admin contact.
2. MTA-STS
MTA Strict Transport Security (MTA-STS) tells other servers that they should avoid sending you unencrypted email and should only accept certain certificates from your side. MTA-STS requires an HTTP web server but we already have one to manage our Let's Encrypt certificate renewals.
a. DNS: The DNS part is still pretty simple: create yet another DNS TXT record, this time for the subdomain _mta-sts:
_mta-sts.example.com. TXT "v=STSv1; id=<id>"The <id> identifies the policy; so you and remote servers can detect changes, I use the date of creation of mta-sts.txt.
_mta-sts.example.com. TXT "v=STSv1; id=210803"This <id> does not appear anywhere else but you must change this every time you edit the mta-sts policy file (mta-sts.txt) so servers know it has changed. Don't forget to create an A record which for subdomain mta-sts (without underscore):
mta-sts.example.com. IN A 1.2.3.4And add CCA records to your new mta-sts subdomain:
mta-sts.example.com. CAA 0 issue "letsencrypt.org"b. Create the mta-sts policy file:
First, create the web root folder for the file.
doas mkdir -p /var/www/mta-sts/Now create the file mta-sts.txt. The contents are as follows, where mx1.example.com and mx2.example.com are the mail hosts defined in example.com’s DNS MX records.
version: STSv1
mode: {none, testing, enforce}
mx: mx1.example.com
mx: mx2.example.com
max_age: <lifetime>Note - weirdly, this file is said to apparently require CRLF Windows-style line endings ("\r\n") but appears to work fine with txt files created by nano. So, for our example:
doas nano -w /var/www/mta-sts/mta-sts.txt
version: STSv1
mode: testing
mx: mail.example.com
max_age: 86400
ctrl-O
ctrl-Xc. httpd: Set your web server to obtain certificates and serve the file. Note that the policy file must be served over HTTPS, so you need a yet another valid TLS certificate for the mta-sts subdomain.
# http server to obtain and renew Let's Encrypt certificate for mta-sts
server "mta-sts.example.com" {
listen on $ext_addr port $ext_HTTP_port
location "/.well-known/acme-challenge/*" {
root "/acme"
request strip 2
}
location * {
block return 302 "https://$HTTP_HOST$REQUEST_URI"
}
}
# https server for serve mta-sts.txt
#server "mta-sts.example.com" {
# listen on $ext_addr port tls $ext_HTTPS_port
# tls {
# certificate "/etc/ssl/mta-sts.example.com.fullchain.pem"
# key "/etc/ssl/private/mta-sts.example.com.key"
# }
# location "/.well-known/mta-sts.txt" {
# root "/mta-sts"
# request strip 1
# }
# location "/.well-known/acme-challenge/*" {
# root "/acme"
# request strip 2
# }
#}Check and restart httpd:
doas httpd -n
doas rcctl restart httpdd. Now get the new certificates:
Configure acme-client: Add a stanza to acme-client.conf:
domain mta-sts.example.com {
domain key "/etc/ssl/private/mta-sts.example.com.key"
domain certificate "/etc/ssl/mta-sts.example.com.crt"
domain full chain certificate "/etc/ssl/mta-sts.example.com.fullchain.pem"
sign with letsencrypt
}Now generate certificates:
doas acme-client -v mta-sts.example.comCheck if the new certificates are in /etc/ssl and keys in /etc/ssl/private.
Now uncomment the mta-sts https server stanza in /etc/httpd.conf and restart httpd.
e. Set up cron job to check and renew certificate:
doas crontab -e -u rootAdd:
30 2 * * * acme-client mta-sts.example.comf. Check your work by using various online MTA-STS validation tools:
- ESMTP (https://esmtp.email/tools/mta-sts/)
- Ayke (https://aykevl.nl/apps/mta-sts/)
- CheckTLS (https://www.checktls.com/howto.html#Deeper)
- Hardenize (https://www.hardenize.com/)
Even if you did everything correctly, these tools will warn you that you’re not using DNSSEC/DANE. But, at this point, this is not widely adopted and can be extremely tedious. I'd pass on this at present.
g. Commit to all TLS:
Previously, the listen directives in smtpd.conf only specified "tls" which allowed insecure connections. As noted above, enabling MTA-STS will reject message which are not sent with TLS/SSL. This may block traffic from servers which still do not require this. It's equivalent to changing to "tls-require" in the smtpd.conf listen directives. This will reduce spam but could block certain email providers. If you're ready to go, then proceed.
First, edit mta-sts.txt from "testing" to "enforce" then increase the lifetime to 6-12 months (31557600 sec max).
Remember to increment the <id> in the _mta-sts DNS record. This needs to be done whenever the policy file is changed.
That should be it.
Additional Reading/Sources: https://prefetch.eu/blog/2020/email-server-extras/
Previous: Further testing
Posted by Gordon, No Hair Github Pages, August 24, 2021
© nohair.net and the author
For comments, corrections, and addenda, email: gordon[AT]nohair.net