PowerShell-Mail Transfer Agent-Strict Transport Security | Enhancing mail flow by deploying and testing MTA-STS for Exchange Online using this PowerShell module.
This module is for you, if you ...
- ... want to improve the security of your mail flow
- ... use Exchange Online for mail flow
- ... have lots of domains and want to deploy MTA-STS for all of them
- ... have an Azure subscription and want to deploy MTA-STS using Azure Static Web Apps or Azure Functions
- ... want to test your MTA-STS configuration using PowerShell
MTA-STS is a new internet standard that improves email security and delivery for your organization. MTA-STS leverages the well-known security standard HTTPS, which is used to secure connections to websites, to enable organizations to assert policies and requirements for their email services. MTA-STS also enables organizations to request that remote email servers deliver email messages over a secure connection and to report back on any failures encountered. This helps to ensure that email messages are delivered in a secure and reliable manner.
Please check out our MTA-STS Infographic to learn more about how MTA-STS works. We visualized the usual mail flow without MTA-STS, the possible attack scenario without MTA-STS, the usual mail flow with MTA-STS, and the possible attack scenario with MTA-STS, which can be detected and mitigated.
Defined in rfc8461
MTA-STS consists of two Parts:
- MTA-STS TXT DNS Record
- MTA-STS Policy
This DNS Record indicates that the Domain supports MTA-STS. The id can be literally anything it's usualy just a datetime value of the last change.
_mta-sts.example.com. IN TXT "v=STSv1; id=20160831085700Z;"
The MTA-STS Policy is located at the "./well-known/" directory and contains a Text file with the Policy, like https://mta-sts.example.com/.well-known/mta-sts.txt
For Exchange Online the mta-sts.txt looks like this
version: STSv1
mode: enforce
mx: *.mail.protection.outlook.com
max_age: 604800
If you want to take advantage of SMTP DANE with DNSSEC you must adjust the MX endpoint of your domains. Additionally, you will have to adjust the mta-sts.txt file to include the MX endpoint of your domain.
You can update the mta-sts.txt file to include the MX endpoint of your domain manually in the Azure Portal or automatically using the Update-PSMTASTSFunctionAppFile function.
version: STSv1
mode: enforce
mx: mail.protection.outlook.com
mx: *.abcd-v1.mx.microsoft
max_age: 604800
Defined in rfc8460
This DNS Record allows the Sender MTA to send Reports (similar to DMARC) to a defined Emailadress or a HTML Site for reporting purposes. While Microsoft does not offer a Service to aggregate these Reports, there are plenty of TLSRPT Data providers that can do this Job.
_smtp._tls.example.com. IN TXT "v=TLSRPTv1;rua=mailto:reports@example.com"
_smtp._tls.example.com. IN TXT "v=TLSRPTv1; rua=https://reporting.example.com/v1/tlsrpt"
This module supports you at deploying and testing MTA-STS for Exchange Online. It will help you to create the required DNS records and to configure the MTA-STS policy for your domain. It will also help you to test the MTA-STS policy and to troubleshoot any issues you might encounter.
You can install this module from the PowerShell Gallery.
#Install Module using PowerShellGet
Install-Module -Name PS.MTA-STS
#Install Module using Microsoft.PowerShell.PSResourceGet
Install-PSResource -Name PS.MTA-STSYou have two options to deploy MTA-STS for your domain(s) using Azure:
- Deploy MTA-STS using Azure Static Web Apps
- Deploy MTA-STS using Azure Functions
One major difference is, that Azure Static Web Apps allow you to add 5 custom domains per app, while Azure Functions allow you to add 500 custom domains per app. So if you want to deploy MTA-STS for more than 5 domains, you must deploy a Azure Function App or alternatively multiple Azure Static Web Apps.
If you want to deploy a Azure Static Web App to host your MTA-STS policy, check out the original deployment guide.
If you want to deploy a Azure Function App to host your MTA-STS policy using this repository, check out the PS.MTA-STS deployment guide. The deployment guide describes the needed steps and functions to deploy a Azure Function App to host your MTA-STS policy.
No matter which of the options above you choose, you will end up with a Azure resource that hosts your MTA-STS policy. In both cases, you will be able to use at least
- 'Export-PSMTASTSDomainsFromExo' function to get a csv file containing your accepted domains with MX record validation
- 'Update-PSMTASTSFunctionAppFile' function to update the function app files with your MTA-STS policy
- 'Test-MTASTSConfiguration' function to test your MTA-STS configuration for all provided domains
For more information about the functions, import the module and use 'Get-Help' to get the help for the functions.
Import-Module -Name PS.MTA-STS
Get-Help -Name Export-PSMTASTSDomainsFromExo -Full
Get-Help -Name Update-PSMTASTSFunctionAppFile -Full
Get-Help -Name Test-MTASTSConfiguration -FullIf you already have a MTA-STS deployment and want to update the MTA-STS policy, you can use the 'Update-PSMTASTSFunctionAppFile' function to update the MTA-STS policy for your domains. This is useful if you want to change the policy mode from 'Testing' to 'Enforce' or if you want to update your app files with the latest version of this module.
Update-PSMTASTSFunctionAppFile -ResourceGroupName 'rg-PSMTASTS' -FunctionAppName 'func-PSMTASTS' -PolicyMode 'Enforce'
# Updates the Azure Function App with the name 'PSMTASTS' in the resource group 'PSMTASTS' with policy mode 'Enforce'.
# This will overwrite any changes you made to the Azure Function App!You can also use the Update-PSMTASTSFunctionAppFile function to update the MTA-STS policy for your domains automatically. This function will update the MTA-STS policy for your domains and will also update the Azure Function App with the latest version of this module. That's especially useful if you want to add new MX endpoints, because you want to take advantage of SMTP DANE with DNSSEC.
If you want to migrate or rebuild your MTA-STS deployment, check out our Migrate MTA-STS deployment from Azure Static Web App or old Azure Function App to new Azure Function App guide.
For more information about the latest changes, please check out the release notes.
For more information about frequently asked questions, please check out the FAQ.