TL;DR
- MTA-STS is a standard that allows domain owners to specify how mail servers should handle the encryption and authentication of their SMTP connections.
- MTA-STS can help prevent email spoofing, interception, and tampering by enforcing TLS encryption and certificate validation for your domains.
- PS.MTA-STS is a new, open-source PowerShell module that simplifies the deployment and testing of MTA-STS for your Exchange Online domains.
- PS.MTA-STS can export a list of your domains that support MTA-STS, configure an Azure function app to host the required MTA-STS policy for Exchange Online, and test your configuration for all domains at once.
- You can find PS.MTA-STS on GitHub and PowerShell Gallery.
This PowerShell module is not an official Microsoft product, and it is provided "as is" without warranty or support. Please open issues through GitHub.
What is MTA-STS and why should you care?
MTA-STS stands for Mail Transfer Agent Strict Transport Security. It is a standard (RFC 8461) that allows domain owners to specify how mail servers should handle the encryption and authentication of their SMTP connections.
By default, SMTP is sent in plain text. Exchange Online uses Opportunistic TLS to try establishing TLS encryption for emails it processes, but this requires both the sending and receiving MTAs (email servers) to support TLS. If one of the servers does not support TLS, or appears to not support it, the servers will fall back to plain text.
This creates a vulnerability for email security, as attackers can exploit this fallback mechanism to intercept, modify, or spoof emails in transit. For example, an attacker can perform a man-in-the-middle attack and strip the STARTTLS command from the SMTP conversation, forcing the servers to communicate in clear text.
MTA-STS addresses this vulnerability by allowing domain owners to publish a policy that instructs the sending servers to always use TLS encryption and validate the receiving server's certificate for their domain. If the sending server supports MTA-STS and encounters a problem with the encryption or authentication of the connection, it will not deliver the email and instead generate a bounce message. This way, MTA-STS can help prevent email spoofing, interception, and tampering by enforcing a higher level of security for your domains.
How does MTA-STS work with Exchange Online?
Exchange Online supports both inbound and outbound protection with MTA-STS. This means that Exchange Online can act as both a sending and a receiving server that follows the MTA-STS policy of the domains involved in the mail flow.
You can learn more about inbound and outbound protection with MTA-STS in Exchange Online in our earlier blog post at Introducing MTA-STS for Exchange Online - Microsoft Community Hub.
How to deploy MTA-STS for Exchange Online without automation?
If you are using Exchange Online, you can take advantage of MTA-STS to enhance your mail flow security with your external partners and customers. However, deploying MTA-STS for your domains requires some steps and prerequisites that you need to follow carefully. The full, manual description is documented at Enhancing mail flow with MTA-STS | Microsoft Learn.
As you may see, deploying MTA-STS for your domains is not a trivial task, especially if you have many domains to configure. That's why we created PS.MTA-STS, a PowerShell module that can help you automate and simplify this process.
What is PS.MTA-STS and how can it help you?
PS.MTA-STS is a new, open-source PowerShell module that we developed to help administrators to deploy and test MTA-STS for their Exchange Online domains. It is not an official Microsoft product and it is provided "as is" without warranty or support. However, we hope that it can be useful for the Exchange Online community and we welcome any feedback or contribution.
PS.MTA-STS can help you with the following tasks:
- Exporting a list of your domains that support MTA-STS. You can use the Export-PSMTASTSDomainsFromExo function to get a CSV file that contains the names and the MTA-STS status of your domains in Exchange Online. This can help you decide which domains you want to configure for MTA-STS.
- Creating an Azure function app to host the MTA-STS policy file. You can use the New-PSMTASTSFunctionAppDeployment function to create and preconfigure your Azure function app in your specified Azure location with your selected Azure resource names.
Alternatively, you can follow the instructions in our GitHub Repository on how to deploy the necessary resources manually.
- Configuring an Azure function app to host the MTA-STS policy file. You can use the Get-, Add-, and Remove-PSMTASTSCustomDomain functions to manage your domains in the Azure function app. These functions will support you at publishing the MTA-STS policy file for your specified domains including the necessary certificate.
- Testing your configuration for all domains at once. You can use the Test-PSMTASTSConfiguration function to check the MTA-STS status of your domains and get a simple report of any errors or warnings. This can help you troubleshoot and fix any issues with your MTA-STS deployment.
How to use PS.MTA-STS?
To use PS.MTA-STS, you need to have PowerShell 7 or later installed on your machine. You also need to have an Azure subscription and the permission to create and configure a resource group and Azure resources within it.
Once you have the prerequisites, you can install PS.MTA-STS from the PowerShell Gallery by running the following command:
Install-Module -Name PS.MTA-STS
After that, you can use the PS.MTA-STS functions to deploy the Azure Function App, manage your domains and test your configuration. You can find the detailed step-by-step guide in our GitHub Repository.
Here are some examples of how to use the module:
# Export a list of your domains that support MTA-STS
Export-PSMTASTSDomainsFromExo -CsvOutputPath ".\MTA-STS-domains.csv"
# Deploy a new Azure resource group and Azure function app to host the MTA-STS policy file.
# Note: Remember to choose names according to the Resource name rules
Start-PSMTASTSFunctionAppDeployment -Location "westeurope" -ResourceGroupName "<Name of your resource group>" -FunctionAppName "<Name of your Function App>" -StorageAccountName "<Name of your Storage Account"
# Add your list of domains to the Azure function app, and create and assign the certificate
Add-PSMTASTSCustomDomain -CsvPath ".\MTA-STS-domains.csv" -ResourceGroupName "<Name of your resource group>" -FunctionAppName "<Name of your Function App>"
# Remove a domain from the Azure function app and delete the policy file and the DNS records
Remove-PSMTASTSCustomDomain -ResourceGroupName "<Name of your resource group>" -FunctionAppName "<Name of your Function App>" -DomainName "mta-sts.contoso.com"
# Test the MTA-STS configuration for all domains and get a report as Csv file
Test-PSMTASTSConfiguration -CsvPath ".\MTASTSDomains.csv" -FunctionAppName "<Name of your Function App>" -ExportResult -ResultPath ".\MTA-STS-result.csv"
Where to find PS.MTA-STS?
You can find PS.MTA-STS on GitHub and PowerShell Gallery. You can also access the source code, the documentation, and the issues tracker on GitHub. We encourage you to try the module, provide feedback, report bugs, and contribute to the project. We hope that PS.MTA-STS can make your life easier and your mail flow more secure.
Summary
In this blog post, we introduced PS.MTA-STS, a PowerShell module that helps administrators to deploy and test MTA-STS for their Exchange Online domains. We explained what MTA-STS is, why it is important for mail flow security, and how PS.MTA-STS can simplify the configuration and testing of MTA-STS. We also showed some examples of how to use the module and where to find it. We hope that you find PS.MTA-STS useful, and we look forward to your feedback and contribution.
Jamy Klotzsche
Cloud Solution Architect
