The document discusses email transport security, focusing on two major protocols: MTA-STS (Mail Transfer Agent Strict Transport Security) and DANE (Domain-based Authentication of Named Entities). It highlights the need for these protocols to improve email encryption policies and prevent interception vulnerabilities in SMTP communication. Additionally, it addresses SMTP TLS reporting as a mechanism for reporting encryption failures and ensuring secure email transmission.

1. © Men & Mice http://menandmice.com
email transport security
MTA-STS vs. DANE
1

2. © Men & Mice http://menandmice.com
© ISC http://www.isc.org
Agenda
1. Recap: the problem with Mail Transport Security
2. SMTP MTA Strict Transport Security (MTA-STS)
3. SMTP Security via Opportunistic DNS-Based
Authentication of Named Entities (DANE)
Transport Layer Security (TLS)
4. SMTP TLS Reporting
2

3. © Men & Mice http://menandmice.com
the problem with email
transport security
3

4. © Men & Mice http://menandmice.com
Short recap
we've discussed email transport security before
see previous Webinar – "DNSSEC & DANE – E-Mail
security reloaded" (link below) for details
so here just a short recap …
4
https://www.menandmice.com/resources/webinar-dnssec-and-dane-e-mail-security/

5. © Men & Mice http://menandmice.com
Transport Encryption
Example of a protocol (HTTP/HTTPS) using a
dedicated port und URI for encrypted
communication
5
Port 80 - unencrypted
Port 443 - encrypted

6. © Men & Mice http://menandmice.com
Transport Encryption
SMTP (email) uses in-protocol signalling to
bootstrap encryption. The signalling is unsecured
and can be intercepted
6
Port 25 - unencrypted
Greeting - unencrypted
Greeting - unencrypted
Feature-List - unencrypted
Request encryption - unencrypted
Greeting - encrypted

7. © Men & Mice http://menandmice.com
STARTTLS interception
7
https://www.eff.org/de/deeplinks/2014/11/starttls-downgrade-attacks
https://arstechnica.com/security/2015/10/dont-count-on-starttls-to-automatically-encrypt-your-sensitive-e-mails/
https://blog.filippo.io/the-sad-state-of-smtp-encryption/

8. © Men & Mice http://menandmice.com
STARTTLS weakness
the core problem:
the receiving side cannot communicate its encryption
policy
the sending side cannot infer the encryption policy, it
need to guess
solutions available/worked on in the IETF:
SMTP MTA Strict Transport Security (MTA-STS)
SMTP with DANE (MTA-DANE)
8

9. © Men & Mice http://menandmice.com
SMTP MTA Strict Transport
Security (MTA-STS)
draft-ietf-uta-mta-sts
9

10. © Men & Mice http://menandmice.com
MTA-STS
MTA-STS
(Message-Transfer-Agent Strict-Transport-Security)
a mail receiving domain publishes its encryption
policy
•via a TXT record in DNS
•plus a JSON document on an TLS secured web-server
10
draft-ietf-uta-mta-sts
https://tools.ietf.org/html/draft-ietf-uta-mta-sts

11. © Men & Mice http://menandmice.com
MTA-STS for "example.com"
the administrator of the domain "example.com" will
publish a TXT-record
at the "well-known" sub-domain "_mta-sts"
containing the version number of this domains mail-
transport encryption policy
use of DNSSEC is recommended
11
_mta-sts.example.com. 900 IN TXT "v=STSv1; id=20170411;"
MTA-STS
version
encryption
policy
version

12. © Men & Mice http://menandmice.com
MTA-STS for "example.com"
the administrator of the domain "example.com" will
also
publish a JSON document
at the "well-known" sub-domain "mta-sts" and the
path ".well-known/mta-sts.json"
12
https://mta-sts.example.com/.well-known/mta-sts.json
TLS secured
path to
JSON
document
mta-sts
domain

13. © Men & Mice http://menandmice.com
MTA-STS for "example.com"
example content of the JSON document
13
{
"version": "STSv1",
"mode": "enforce",
"mx": [".mail.example.com"],
"max_age": 123456
}
MTA-STS
version
"enforce" or
"report"
Common Name
or Subject
Alternative Name
DNS-ID present in
the X.509
certificate
presented by any
MX receiving mail
for this domain
max
lifetime of
the policy

14. © Men & Mice http://menandmice.com
MTA-STS
14
sending
MTA
sending
MUA
DNS(SEC)
resolver
auth
DNS
receiving
MTA
policy
webserver
sendingdomain
receivingdomain
Internet

15. © Men & Mice http://menandmice.com
MTA-STS
15
sending
MTA
sending
MUA
DNS(SEC)
resolver
auth
DNS
receiving
MTA
policy
webserver
mail
delivered to
MTA

16. © Men & Mice http://menandmice.com
MTA-STS
16
sending
MTA
sending
MUA
DNS(SEC)
resolver
auth
DNS
receiving
MTA
policy
webserver
checks
policy
cache

17. © Men & Mice http://menandmice.com
MTA-STS
17
sending
MTA
sending
MUA
DNS(SEC)
resolver
auth
DNS
receiving
MTA
policy
webserver
request
mta-sts TXT
record in
DNS
_mta-sts.example.com. TXT ?
_mta-sts.example.com. 900 IN TXT "v=STSv1; id=20170411;"

18. © Men & Mice http://menandmice.com
MTA-STS
18
sending
MTA
sending
MUA
DNS(SEC)
resolver
auth
DNS
receiving
MTA
policy
webserver
request
JSON policy
from web
server
https://mta-sts.example.com/.well-known/mta-sts.json
verify TLS
x509
security
store policy
in cache

19. © Men & Mice http://menandmice.com
MTA-STS
19
sending
MTA
sending
MUA
DNS(SEC)
resolver
auth
DNS
receiving
MTA
policy
webserver
STARTTLS
SMTP
session
validate x509
certificate
against policy

20. © Men & Mice http://menandmice.com
MTA-STS
20
sending
MTA
sending
MUA
DNS(SEC)
resolver
auth
DNS
receiving
MTA
policy
webserver
deliver mail

21. © Men & Mice http://menandmice.com
SMTP Security via Opportunistic DNS-
Based Authentication of Named Entities
(DANE) Transport Layer Security (TLS)
RFC 7672
21

22. © Men & Mice http://menandmice.com
MTA-DANE
SMTP with DANE signals the encryption policy of a
mail-server via DNSSEC secured DNS
the TLSA record holds the full certificate (or a hash
of the certificate) which can be verified against the
certificate presented by the receiving mail server
MTA-DANE is standardised in RFC 7672 (Oct 2015)
22

23. © Men & Mice http://menandmice.com
MTA-DANE
23
sending
MTA
sending
MUA
DNSSEC
resolver
auth
DNS
receiving
MTA
mail
delivered to
MTA

24. © Men & Mice http://menandmice.com
MTA-DANE
24
sending
MTA
sending
MUA
DNSSEC
resolver
auth
DNS
receiving
MTA
MTA
requests
TLSA record
_25._tcp.mail01.example.com. TLSA
_25._tcp.mail01.example.com. TLSA 3 1 1 (
BDC6A9F8312BF24C81D[..]387A147 )
validate
DNSSEC
chain of
trust

25. © Men & Mice http://menandmice.com
MTA-DANE
25
sending
MTA
sending
MUA
DNS(SEC)
resolver
auth
DNS
receiving
MTA
STARTTLS
SMTP
session
validate x509
certificate
against TLSA
cert/hash

26. © Men & Mice http://menandmice.com
MTA-DANE
26
sending
MTA
sending
MUA
DNS(SEC)
resolver
auth
DNS
receiving
MTA
deliver mail

27. © Men & Mice http://menandmice.com
DANE success stories
Cloudmark will support
MTA-DANE in the
upcoming release 5.2
Cloudmark has about
12% global market share
(20% of mobile
accounts) in the email
business
27
https://blog.cloudmark.com/2017/03/27/dane-and-email-security/

28. © Men & Mice http://menandmice.com
DANE success stories
large German mail
service provider
(web.de/gmx.de/1&1)
support MTA-DANE
over 50% market
share in Germany
28
https://de.slideshare.net/GMX_Deutschland/e-mailstudie-2015-deutsche-anbieter-bevorzugt
https://www.heise.de/newsticker/meldung/Abhoersicherheit-Web-de-sichert-Mail-Transport-zusaetzlich-per-DANE-ab-3175333.html

29. © Men & Mice http://menandmice.com
DANE success stories
the Dutch government
requests MTA-DANE
from government
agencies
29
https://www.ncsc.nl/english/current-topics/news/ncsc-publishes-factsheet-secure-the-connections-of-mail-servers.html

30. © Men & Mice http://menandmice.com
DANE success stories
German "Federal Office
for Information Security"
requires MTA-DANE for
"secure e-mail"
certification
30
https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/TechnischeRichtlinien/TR03108/TR03108-1.pdf

31. © Men & Mice http://menandmice.com
Comparing
MTA-STS vs. MTA-DANE
31

32. © Men & Mice http://menandmice.com
MTA-STS vs. MTA-DANE
MTA-STS does not require DNSSEC (but it is
recommended)
MTA-STS defines a policy cache
MTA-STS requires x509 certificates that validate against a
root-CA-certificate (no "self-signed" certs)
MTA-STS requires a HTTPS server to serve the policy
JSON document
MTA-STS requires validation of the HTTPS connection to
fetch the policy document
32

33. © Men & Mice http://menandmice.com
MTA-STS vs. MTA-DANE
MTA-DANE does require DNSSEC
MTA-DANE has no policy cache (but the TTL on TLSA
records can work as such)
MTA-DANE allows "self-signed" certificates
MTA-DANE policy can be changed by switching the TLSA-
record in DNS
MTA-DANE TLS-cert rollover need to be in sync with TLSA
record(s)
MTA-DANE relies on the trust on the DNSSEC chain
33

34. © Men & Mice http://menandmice.com
SMTP TLS Reporting
draft-ietf-uta-smtp-tlsrpt
34

35. © Men & Mice http://menandmice.com
SMTP TLS reporting
SMTP TLS reporting defines a protocol to signal a reporting channel about SMTP
encryption failures
the sending MTA can report issues with TLS encryption to the receiving MTA
operator
SMTP TLS reporting can be used with MTA-STS and MTA-DANE
Reports include:
•MITM attacks (certification mismatch)
•expired certificates
•server not answering
•certificate not validating against Root-CA
•…
35
https://tools.ietf.org/html/draft-ietf-uta-smtp-tlsrpt

36. © Men & Mice http://menandmice.com
SMTP TLS reporting
the administrator of a mail domain publishes the
reporting policy as a TXT-record in DNS
using the "well-known" subdomain "_smtp-tlsrpt"
inside the mail domain
Example (SMTP-Report):
Example (HTTP-Report):
36
https://tools.ietf.org/html/draft-ietf-uta-smtp-tlsrpt
_smtp-tlsrpt.example.com. IN TXT
"v=TLSRPTv1;rua=mailto:reports@example.com"
_smtp-tlsrpt.example.com. IN TXT "v=TLSRPTv1;
rua=https://reporting.example.com/v1/tlsrpt"

37. © Men & Mice http://menandmice.com
SMTP TLS reporting
37
sending
MTA
sending
MUA
DNS(SEC)
resolver
auth
DNS
receiving
MTA
STARTTLS
SMTP
session
x509 certificate
fails to validate
against TLSA
cert/hash

38. © Men & Mice http://menandmice.com
SMTP TLS reporting
38
sending
MTA
sending
MUA
DNS(SEC)
resolver
auth
DNS
receiving
MTA
MTA requests
_smtp-tlsrpt TXT
record
_smtp-tlsrpt.example.com. TXT
_smtp-tlsrpt.example.com. IN TXT
"v=TLSRPTv1;rua=mailto:reports@example.com"

39. © Men & Mice http://menandmice.com
SMTP TLS reporting
39
sending
MTA
sending
MUA
DNS(SEC)
resolver
auth
DNS
receiving
MTA
deliver
report mail

40. © Men & Mice http://menandmice.com
SMTP TLS reporting
Example JSON-Report
40
https://tools.ietf.org/html/draft-ietf-uta-smtp-tlsrpt
{
"organization-name": "Company-X",
"date-range": {
"start-datetime": "2016-04-01T00:00:00Z", "end-datetime": "2016-04-01T23:59:59Z"
},
"contact-info": "sts-reporting@company-x.com", "report-id": "5065427c-23d3-47ca-b6e0-946ea0e8c4be",
"policy": {
"policy-type": "sts",
"policy-string": "{ "version": "STSv1","mode": "report", "mx": ["*.example.com"], "max_age": 86400 }",
"policy-domain": "company-y.com", "mx-host": "*.mail.company-y.com"
},
"summary": {
"success-aggregate": 5326, "failure-aggregate": 303
}
"failure-details": [{
"result-type": "certificate-expired", "sending-mta-ip": "98.136.216.25",
"receiving-mx-hostname": "mx1.mail.company-y.com", "session-count": 100
}, {
"result-type": "starttls-not-supported", "sending-mta-ip": "98.22.33.99",
"receiving-mx-hostname": "mx2.mail.company-y.com", "session-count": 200,
"additional-information": "hxxps://reports.company-x.com/report_info?id=5065427c-23d3#StarttlsNotSupported"
}]
}
reporting
company
report time-
range
(24 hours)
contact
information
used policy
report
summary
failure
details

41. © Men & Mice http://menandmice.com
Next
41

42. © Men & Mice http://menandmice.com
Men & Mice DNS Training
•Introduction to DNS & BIND Hands-On Class
•September 18 – 20, 2017 (Zurich, Switzerland)
42
https://www.menandmice.com/training/

43. © Men & Mice http://menandmice.com
Men & Mice DNS Training
•Introduction & Advanced DNS and BIND Topics
Hands-On Class
•September 18 – 22, 2017 (Zurich, Switzerland)
43
https://www.menandmice.com/training/

44. © Men & Mice http://menandmice.com
Men & Mice DNS Training
•DNS & BIND (German Language)
•May 22 – 24, 2017, Essen, DE
•DNSSEC and DANE (German Language)
•December 4-12, 2017, Essen, DE
44
http://linuxhotel.de/

45. © Men & Mice http://menandmice.com
our next webinar
Certification Authority Authorization Record
The CAA Record (Certification Authority Authorization) is used to signal
which certification authority (CA) is allowed to issue x509 certificates for
a given domain. CAA creates a DNS mechanism that enables domain
name owners to whitelist CAs that are allowed to issue certificates for
their hostnames.
Starting from September 2017, certificate issuing CA must support the
CAA record.
We will explain the CAA record, how it works, how to enter CAA into a
zone and how certification authorities are about to use the record.
Join us for a 45 minutes webinar with a Q&A session at the end, on
Thursday, May 18th, 2017 at 5:00 PM CEST/ 3:00 PM GMT/ 11:00 AM
EDT / 8:00 AM PDT.
45

46. © Men & Mice http://menandmice.com
Thank you!
Questions? Comments?
46