30 April 2019
Feisty Duck’s Cryptography & Security Newsletter is a periodic dispatch bringing you commentary and news surrounding cryptography, security, privacy, SSL/TLS, and PKI. It's designed to keep you informed about the latest developments in this space. Enjoyed every month by more than 50,000 subscribers. Written by Hanno Böck.
MTA-STS is a recent standard that enables more secure TLS connections between mail servers. Although several email providers already have published MTA-STS policies for inbound connections, Gmail recently became the first major email provider to actually check those policies and thus implement MTA-STS on both sides of a connection.
TLS connections between mail servers have long been possible via the STARTTLS feature. However, these connections were never properly authenticated and were vulnerable to both downgrades and man-in-the-middle attacks.
With MTA-STS, which was published in September of last year as an RFC, mail server owners can publish a policy for certificate validation on a standardized subdomain (mta-sts) and indicate via DNS that they have such a policy. Similar to HSTS, these policies have a lifetime, and thus mail servers can store them. A permanent network attacker can still prevent a server from fetching the policy, but an attacker with only temporary access to a network connection is unable to listen to or manipulate connections.
MTA-STS has the support of many large email providers and thus likely soon will be supported for the majority of email connections. Although publishing policies is relatively simple, supporting outbound MTA-STS requires proper support from the mail server software. The Courier mail server recently added support in version 1.0.7. Postfix doesn’t support it out of the box yet, but an external module can be used.
This subscription is just for the newsletter; we won't send you anything else.
Designed by Ivan Ristić, the author of SSL Labs, Bulletproof TLS and PKI, and Hardenize, our course covers everything you need to know to deploy secure servers and encrypted web applications.
Remote and trainer-led, with small classes and a choice of timezones.
Join over 2,000 students who have benefited from more than a decade of deep TLS and PKI expertise.