MTA-STS and TLS-RPT configuration for lancaster.gov.uk
Background
As recommended by NCSC and others, MTA-STS will improve inbound email security. It specifies receiving mail servers, enforces minimum TLS 1.2 and prevents man in the middle attacks.
It’s not officially supported by Vipre, but as Vipre support TLS 1.2 and have valid certificates, it should work in testing configuration at least.
The system is designed to fail open so in the case of the web resource being unavailable mail would still be delivered.
I’ve followed this guide to implement MTA-STS for lancaster.gov.uk using an Azure Static Web App
https://blog.jonsdocs.org.uk/2022/01/08/setting-up-mta-sts-using-azure-static-web-apps/
TLS-RPT is a mechanism for allowing reporting information to be relayed back to the receiving domain (i.e. lancaster.gov.uk) when an MTA-STS policy is present.
Resources
DNS config
- _mta-sts.lancaster.gov.uk
Type = TXT
Value = v=STSv1; id= 2024091801
- mta-sts.lancaster.gov.uk
Type = CNAME
Value = salmon-hill-037c34003.3.azurestaticapps.net
- _smtp._tls.lancaster.gov.uk
Type = TXT
Value = "v=TLSRPTv1;rua=mailto:tls-rua@mailcheck.service.ncsc.gov.uk "
MX records…
Mx Record Match
uk.mx1.mailanyone.net
Pref
Host
Status
10
uk.mx1.mailanyone.net
Matched MX Pattern
20
uk.mx2.mx25.net
Not Checked
30
uk.mx3.mailanyone.net
Not Checked
40
uk.mx4.mx25.net
Not Checked
Policy content
https://mta-sts.lancaster.gov.uk/.well-known/mta-sts.txt
version: STSv1 mode: enforce mx: uk.mx1.mailanyone.net mx: uk.mx2.mx25.net mx: uk.mx3.mailanyone.net mx: uk.mx4.mx25.net max_age: 1209600