MTA-STS Settings
The MTA-STS option is being released as a Preview feature. For additional information, contact Fortra Clearswift Support at clearswift.support@fortra.com.
SMTP Mail Transfer Agent Strict Transport Security (MTA-STS) functionally allows email service providers to specify Transport Layer Security (TLS) for secure SMTP connections. MTA-STS enables SMTP servers to deliver exclusively to MX hosts offering TLS with a trusted-server certificate and blocking delivery when no TLS trusted-server certificate is present.
For more information about the proposed MTA-STS standard, see: https://www.rfc-editor.org/rfc/rfc8461.html
-
When configuring Outbound MTA-STS, tick the checkbox, enable Opportunistic TLS, and ensure TLS 1.2 is selected. The TLS policy is read from the target domain’s website and DNS entries.
-
When configuring Inbound MTA-STS, set the TLS Version to 1.2 (required), and enable Opportunistic TLS. Ensure that the TLS certificate provided is suitable for your MTA-STS configured domains. To prevent non-TLS traffic, you must configure one or more connection profiles to mandate TLS.
MTA-STS and Opportunistic TLS are not enabled by default. To enable these settings:
-
Navigate to the Clearswift Secure Email Gateway page.
-
Click System menu > TLS Configuration.
-
On the Settings tab under Use MTA-STS, select the desired checkboxes for Inbound MTA-STS and Outbound MTA-STS.
-
Under Use TLS Communications, select the checkbox for Opportunistic TLS.
MTA-STS Outbound
| Receiving MTA configuration for recipient domain | |||
|---|---|---|---|
| MTA-STS correctly configured | No MTA-STS configuration | ||
| Secure Email Gateway configuration |
Outbound MTA-STS and Opportunistic TLS enabled |
Mandatory TLS 1.2 | Opportunistic TLS (best common TLS if available, or clear text) |
| Outbound MTA-STS not enabled, but outbound TLS connection profile exists for recipient domain, with mandatory TLS configured | Mandatory TLS at configured version | Mandatory TLS used at configured version | |
| Outbound MTA-STS not enabled, but Opportunistic TLS enabled | Opportunistic TLS (best common TLS if available, or clear text) | Opportunistic TLS (best common TLS if available, or clear text) | |
MTA-STS Inbound
| Secure Email Gateway configuration for hosted domains | |||||
|---|---|---|---|---|---|
| MTA-STS correctly configured, Opportunistic TLS 1.2 enabled | No MTA-STS configuration, but inbound TLS connection profile exists for hosted domain, with mandatory TLS configured | No MTA-STS configuration, Opportunistic TLS enabled | No MTA-STS configuration, Opportunistic TLS not enabled | ||
| Sending MTA configuration |
Supports MTA-STS |
Mandatory TLS 1.2 initiated by sender | Mandatory TLS at configured version | Opportunistic TLS (best common TLS, or clear text) | Clear text |
| Doesn’t support MTA-STS | Opportunistic TLS (best common TLS, or clear text) | Mandatory TLS at configured version | Opportunistic TLS (best common TLS, or clear text) | Clear text | |