Mail Transfer Agent Strict Transport Security (MTA-STS) is an important email security standard designed to protect email in transit. Its primary function is to ensure that emails are sent over an encrypted connection, preventing eavesdropping and certain types of man-in-the-middle (MITM) attacks.
It works by allowing a domain to publish a policy that states its mail servers expect to receive email via a TLS-encrypted SMTP connection. Sending servers fetch and cache this policy, refusing to send email if a secure connection cannot be established. This is a powerful tool against downgrade attacks, where an attacker forces a connection to revert from an encrypted channel to plaintext.
The limits of MTA-STS and certificate authorities
So, to answer the core question directly: no, MTA-STS does not protect against a compromised Certificate Authority (CA). This is a critical limitation to understand. MTA-STS relies on the conventional web Public Key Infrastructure (PKI), which means it trusts the same set of CAs that your web browser trusts.
If a trusted CA is compromised, an attacker could trick it into issuing a fraudulent, but technically valid, TLS certificate for a mail server. When a sending server looks up the MTA-STS policy for your domain, it will attempt to make a secure connection. The attacker's server, presenting the fraudulent certificate, would satisfy the MTA-STS validation checks because the certificate is signed by a trusted authority. The sending server would then proceed to deliver the email to the attacker, who can read and manipulate it.
The Internet Engineering Task Force (IETF) draft for MTA-STS explicitly acknowledges this vulnerability. The trust model of MTA-STS is based on authenticating the server's certificate against a list of trusted CAs, not on verifying the certificate itself against an independent record.
What MTA-STS does protect against
Despite this limitation, MTA-STS is an extremely valuable layer of email security. It was not designed to solve the problem of a compromised CA, but rather to fix the long-standing issue of opportunistic encryption in SMTP. Its key protections include:
- Preventing downgrade attacks: Its primary benefit is stopping attackers from intercepting the STARTTLS command and forcing the email transfer to proceed in unencrypted plaintext.
- Thwarting passive eavesdropping: By enforcing TLS, MTA-STS ensures the content of your emails is encrypted during transit between mail servers, making it unreadable to anyone snooping on the network.
- Validating server identity (to an extent): MTA-STS verifies that the receiving server presents a valid, trusted, and non-expired TLS certificate that matches the domain name specified in the policy. This prevents attacks using self-signed or expired certificates.
Beyond MTA-STS: DANE for CA protection
For organizations concerned about the threat of a compromised CA, another standard called DNS-Based Authentication of Named Entities (DANE) offers a solution. DANE uses DNSSEC (DNS Security Extensions) to publish information about a server's TLS certificate directly in the DNS.
When a sending server connects, it can compare the certificate presented by the receiving server with the one specified in the secure DNS record. If they don't match, the connection is dropped, even if a compromised CA signed the certificate. This provides an independent verification channel that doesn't rely solely on the public CA system. While more complex to implement due to its reliance on DNSSEC, DANE directly addresses the weakness that MTA-STS has regarding CA trust.
In conclusion, MTA-STS is a fundamental building block for modern email security, effectively enforcing encryption and stopping downgrade attacks. However, it's not designed to protect against the sophisticated threat of a compromised certificate authority. For that level of security, you need to look at implementing complementary technologies like DANE.
