MTA-STS Automation (AWS Edition)

Date: 2023-12-18
Author: Simon Jackson

Objective

I wanted to secure my domains, by deploying an end-to-end MTA-STS and TLS-RPT configuration.

By using terraform to do the hard work; and declaring a set of variables, all targeted against AWS Route53 hosted domains.
Giving controls for enabling/disabling specific components.

GitHub Project

Sponsor my work

Project Requirements

To embark on this automation journey, users will need:

An dedicated AWS IAM user with a Access key. Capture the Access-Key-ID and Secret-Access-Key
Assign the "AdministratorAccess" managed policy to the above IAM user

Step by Step Instructions

Download the repository to your local workstation:
git clone https://github.com/sjackson0109/tf-aws-mta-sts.git
Install Terraform
https://developer.hashicorp.com/terraform/install
Set environment variables for AWS access credentials
$env:AWS_ACCESS_KEY_ID="PASTE YOURS HERE"
$env:AWS_SECRET_ACCESS_KEY="PASTE YOURS HERE"
$env:AWS_REGION="us-east-1"

There are other options - have a look here

Initialise Terraform using
terraform init
Update the TFVARS file. Populating the domains, mta_sts_policy configuration, and mta_sts_reporting
See the example.tfvars file
Validate you have not broken the TFVARs file using
terraform validate
Plan the build with
terraform plan
Apply changes using
terraform apply -auto-approve
Review the output

You might want to sign up to Report-URI.. this will help massively in ensuring you have not left straggling mail-clients sending mail from un-approved source locations.

https://report-uri.com

Validation

There are many ways to do this. Essentially:

Check DNS for the "_mta-sts" TXT record; this should be populated with 'v=STSv1; id=yyyymmddhhmmss'
Check DNS for the "mta-sts" CNAME record, this should target cloud front's FQDN.
Ensure the web-service returns the mta-sts.txt file from your URL:
EG: https://mta-sts.jacksonfamily.me/.well-known/mta-sts.txt

Use an online tool instead:

Page updated

Report abuse