Microsoft is committed to providing world-class email security solutions and the support for the latest Internet standards in order to provide advanced email protection for our customers. Today we are announcing that Exchange Online will be adding support for two new Internet standards specific to SMTP traffic.
The SMTP protocol was designed a long time ago, when message delivery was considered more important than security. Over time, as security and privacy became increasingly more important, several new standards emerged and one of those is RFC 3207: “SMTP Service Extension for Secure SMTP over Transport Layer Security (TLS)”. This is often referred to as Opportunistic TLS, or STARTTLS. Opportunistic TLS provides encryption for SMTP connections and even though it’s a great improvement over plain SMTP, it still has a significant number of vulnerabilities.
One such vulnerability is the downgrade attack, which is a form of man-in-the-middle-attack (MITM). This happens when an attacker is able to strip the STARTTLS verb from the target SMTP gateway during the initial in-the-clear communication, often resulting in the sending SMTP server simply deciding to continue sending the message in clear text rather than stopping transmission.
Another limitation that exists with Opportunistic TLS is the inability for the sending server to authenticate the identity of the receiving SMTP gateway. An attacker can spoof the receiving SMTP gateway’s DNS record and present an alternate MX record for a server that they own. Even if the connection is encrypted, the sending server will never know that email was diverted to the malicious server.
Microsoft has been working closely with partners through the industry association M3AAWG to solve such limitations throughout the email ecosystem. As a result, we have decided to build and add support for DNSSEC and DANE for SMTP to Exchange Online. This support will be specific to SMTP traffic between SMTP gateways. We will also be providing support for TLS reporting (TLS-RPT).
The support of the above standards, especially DNSSEC, will require investment and architecture changes to the Microsoft infrastructure - an investment we believe is necessary to enhance protection for our customers. As this will require significant work, we will be releasing DANE and DNSSEC for SMTP in two phases.
The first phase will include only outbound support (mail sent outbound from Exchange Online) and we aim to enable this by the end of the calendar year 2020. The second phase will add inbound support for Exchange Online and we plan to enable that by the end of 2021. For both of those phases, corresponding TLS-RPT support will be provided.
While we integrate these changes, we want to ensure our customers know that there are third party solutions available for Exchange Online. Customers have the option to run their own SMTP gateways supporting DNSSEC and DANE for SMTP and they can create Outbound and Inbound connectors to route the email messages to and from Exchange Online.
We are happy to announce support for DNSSEC and DANE for SMTP to strengthen Office 365 Exchange Online email security and provide advanced protection to our customers.
The Exchange Transport Team
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.