By Nathan Willis
April 20, 2016
It is no secret that email has been a weak point in the security of
the standard Internet protocol suite for quite some time. While
improvements to HTTP and TLS have resulted in more robust web
security, mail transfer has lagged behind. Now, a new draft RFC has
been submitted to the Internet Engineering Task Force (IETF) that may
make SMTP connections substantially more secure, closing loopholes
that have made mail transfer vulnerable to
man-in-the-middle and cryptographic-downgrade attacks.
The draft is called SMTP
Strict Transport Security (SMTP STS), and it was first posted on
March 18. The authors work for a variety of well-known
technology companies and ISPs, including Google, Yahoo, Comcast,
Microsoft, LinkedIn, and 1&1 Internet. It sets out a standard by
which a mail server can publish an STS Policy that defines how mail
transfer agents (MTAs) can connect using TLS, how they can validate
the server’s TLS certificate, and what they should do in the case that
a TLS session cannot be correctly established. As the name implies,
SMTP STS is similar in design to HTTP Strict Transport
Security (HSTS), defined in RFC6797.
SMTP was originally defined in RFC821, long before TLS
(or SSL) were invented, and sent
all messages in the clear. The STARTTLS extension (RFC3207) added support
for TLS transport in 2002. Although reports are that STARTTLS has
proven popular with mail providers, it suffers from some severe
First, the TLS session is subject to downgrade
attacks. In the SMTP session-establishment handshake, the
STARTTLS command is sent from one machine to the other, in
the clear. Upon receipt, the remote machine is intended to respond by
initiating a TLS handshake before the SMTP session continues. But an
attacker sitting in between the two machines can simply intercept and
drop the STARTTLS command (or overwrite it with garbage), in
which case the SMTP session will continue in plaintext.
The second shortcoming is that, in a STARTTLS handshake, client
machines do not attempt to verify that the TLS certificate presented
by the server actually belongs to the expected domain. Here again, an
attacker in the middle can intercept the genuine certificate and
replace it with a fraudulent one, without the client knowing the difference.
SMTP STS defines a way for a mail server to publish a public record
that TLS is available and that SMTP clients should thus use it when making
connections. This record is the STS Policy, and has seven mandatory
- v – the SMTP STS version. Only a value of STS1
- to – a boolean indicating whether the server is “TLS
Only.” If true, then clients who encounter errors in the TLS setup
must not deliver any mail to the server.
- mx – a comma-separated list of domains for which the
- a – the authentication mechanism clients should use to
verify that the policy is authentic. The supported mechanisms are
DNSSEC and an HTTPS URI at which the client can separately request the
policy and verify that the two copies are identical.
- c – the validation method clients should use to verify
the authenticity of the server’s TLS certificate. The supported
methods are DANE TLSA (RFC7672) and verifying the PKI trust chain on the certificate
back to a root certificate authority (that is, traditional TLS
identity checking as specified in RFC6125).
- e – the maximum lifetime of the policy.
- rua – the address to which feedback and errors may be reported by the
A server can publish its STS Policy at
https://example.com/.well-known/smtp-sts or via DNS as a TXT record
under the name _smtp_sts.example.com. The draft document further
specifies that any errors reported to a server by clients should
contain details about where unexpected results were encountered: an
expired certificate, a DNSSEC failure, a certificate that does not
match the server’s domain, and so forth.
As Lucian Constantin at InfoWorld pointed
out, one possible security loophole is that the first time a
client connects to a server, it has no cached copy of the server’s STS
Policy to compare, so a man-in-the-middle attacker could, in theory,
intercept the first request and return a forged policy instead. That
forged policy would, by necessity, include an a field
similarly doctored to direct the client to an attacker-controlled
server when authenticating the policy.
The draft’s support for DNS-based policy publishing provides the
means for some additional robustness against man-in-the-middle attacks
over what is offered by TLS identity checking. If a server’s STS Policy is
published as a TXT record in a DNSSEC-protected zone, clients can verify its authenticity. Furthermore, the c field can be used to specify that
a DANE TLSA record for the server’s TLS certificate is required for
validation. Thus, an attacker would have to compromise the DNSSEC
server in addition to intercepting the SMTP handshake.
The draft also notes that clients are not obligated to accept STS
Policies the first time they retrieve them from a server. Instead,
they are permitted to use the rua reporting mechanism to tell
the server’s administrators what they saw. That report can be sent “offline”
or during a different session, potentially allowing failures and suspicious reports to be
routed around a man-in-the-middle attack. Such a reporting feature is
not found in HSTS; nevertheless, SMTP STS is still a “trust on first
The authors of the draft list
two other options to be considered for future inclusion in STMP
STS as well. They are certificate pinning, in which a policy could
specify specific certificates that must appear in the
certificate-validation chain, and policy distribution, in which sites’
policies could be recorded and publicly tracked.
The draft also speculates that it could be worthwhile for a policy
to specify the list of cryptographic ciphers and TLS versions that the
server accepts, and perhaps to specify that all mail received
from the server’s domain should be expected to arrive over TLS.
The latter feature would, in theory, allow a mail server to check for an STS
Policy for incoming mail domains and, thus, reject mail that is “supposed to”
arrive over TLS but does not. The draft notes, however, that such
a policy would come with its share or potential man-in-the-middle
attacks to be guarded against, and may not offer significant gains.
STARTTLS has, no doubt, improved the security of e-mail transfer,
but it is far from complete. SMTP STS hopefully closes some of the
more egregious holes.
(Log in to post comments)