Simple Mail Transfer Protocol or SMTP has easily exploitable security loopholes. Email routing protocols were designed in a time when cryptographic technology was at a nascent stage (e.g., the defacto protocol for email transfer, SMTP, is nearly 40 years old now), and therefore security was not an important consideration. As a result, in most email systems encryption is still opportunistic, which implies that if the opposite connection does not support TLS, it gets rolled back to an unencrypted one delivering messages in plaintext. To mitigate SMTP security problems, MTA-STS (Mail transfer Agent Strict Transport Security) is recommended email authentication standard. It enforces TLS in order to allow MTAs to send emails securely. This means that it will only allow mail from MTAs that support TLS encryption, and it will only allow mail to go to MX hosts that support TLS encryption.

This standard was standardized in 2014 by IETF as RFC-8461.

MTA-STS is the successor standard of STARTTLS, which mandated TLS for specific mail transfer agents. STARTTLS required that all servers use TLS, but it gave no guidelines for client usage. As a result, the majority of email messages are still sent with no encryption, similar to HTTP connections today. To counter this problem, MTA-STS requires that either the server supports TLS or the connection is shut down immediately. This mechanism prevents downgrade attacks and makes sure that messages are transmitted securely.

These email authentication and security standards further strengthen the authentication and security of the internet, and they will ensure that communications are not tampered with.

This RFC also defines a period of time after which the TLS support on an MTA expires. It gives providers an opportunity to deprecate their old TLS versions or certificates as well as to set up new ones as they become available. The period is set as 180 days, which means that if an MTA is downgraded during the specified period of time, it would be further downgraded to unsecured connection. After this time period, clients will no longer accept mail from such mail servers and thus the mail delivery will be blocked. This will be updated after 180 days to reflect the current TLS environment.

The updated version of the MTA-STS standard was standardized in 2016 by IETF as RFC-7671 . The updated version aims to address issues raised in the original version, particularly regarding the updated cryptographic algorithms and attacks against them.

RFC 8461 has been updated by IETF recently in July 2018 to reflect the current requirements for email security which is based on evolving threat landscape and evolving TLS technologies, with RFC-8461bis.

The new version of MTA-STS standard has introduced the following changes:

Those requirements will be followed by all MTAs and email clients which use MTA-STS standard. MTA-STS has been adopted and implemented by many mail and web servers and email clients. Some major email and web servers and clients already support MTA-STS: Gmail, yahoo, outlook, thunderbird, Facebook, etc.

MTA-STS has been implemented in many products which is available for end-users. These products can use either TLS 1.2 or TLS 1.3 and they implement the latest security requirements outlined in RFC 8461bis to ensure end-to-end TLS encryption.

Interested in reading more about security within an email? Email Spoofing – Check Your Domain Security discusses how fake emails that are sent under a different name and how to see if it has affected you.

Liquid Video Technologies Logo, zero trust, Security, Video Surveillance, Greenville South Carolina, cybersecurity, MTA-STS

If you would like liquidvideotechnologies.com to discuss developing your Home Security System, Networking, Access ControlFire, IT consultant, or PCI Compliance, please do not hesitate to call us at 864-859-9848 or you can email us at deveren@liquidvideotechnologies.com.