SecurityGateway™ for Email Servers
      Back to home
      1. Knowledge Base
      2. SecurityGateway™ for Email Servers

      How to setup Mail Transfer Agent Strict Transport Security (MTA-STS) in SecurityGateway

      SMTP MTA Strict Transport Security (MTA-STS) is a mechanism enabling mail service providers (SPs) to declare their ability to receive Transport Layer Security (TLS) secure SMTP connections.

      SMTP MTA Strict Transport Security (MTA-STS) can also specify whether sending SMTP servers should refuse to deliver to MX hosts that do not offer TLS with a trusted server certificate.  

      There are several requirements for utilizing MTA-STS in SecurityGateway:

      • SSL, STARTTLS, and STLS must be enabled.
      • A valid certificate from a trusted root authority must be in place for participating domains.
      • TLS 1.2 or 1.3 support on the Windows server.

      To set up MTA-STS for your own domain, you will need an MTA-STS policy file that can be downloaded via HTTPS from the URL https://mta-sts.company.test/.well-known/mta-sts.txt, where "company.test" is your domain name. 

      In your domain's DNS manger, create an A record for your domain using mta-sts for the name and static IP address of the SecurityGateway server for the content. 

      Create a new TXT record in your DNS manager.  Use _mta-sts as the record name.  Enter v=STSv1; id=20220408T010101; for the record's content.  The value for id must be changed every time the policy file is changed. It is common to use a timestamp for the id.

      Using a text editor, create your policy file. The policy text file should contain lines in the following format:

      version: STSv1
      mode: testing
      mx: sg.company.test
      max_age: 86400

      • Mode can be none, testing, or enforce.
        • none - The sending server should the policy domain as through it does not have an active policy.
        • testing - Messages may still be delivered as though there were no MTA-STS validation failure.
        • enforce - Sending servers must not deliver the message to hosts that fail MX matching or certificate validation or do not support STARTTLS
      • There should be an "mx:" line for each of your MX hostnames.
      • A wildcard can be used for subdomains, such as *.company.test.
      • Max age is in seconds. Common values are 86400 (1 day) and 604800 (1 week).
      • Place the policy text file in the \SecurityGateway\Templates\.well-known\ directory on the server where SecurityGateway is installed. Create the .well-known folder if it does not exist in the Templates folder. 

      Verify the mta-sts.txt policy file is available by opening a browser and navigate to https://mta-sts.company.test/.well-known/mta-sts.txt.  If the policy is displayed, the configuration is complete.