How to serve mta-sts.txt and other .well-known files directly from an F5 BIG-IP

If you want to improve your email security to let other mail servers know they should use TLS1.2 to avoid downgrade attacks, you need to serve an mta-sts.txt file.

If you have an F5 BIG-IP load balancer to hand, I describe a method below that you should check out.

You can adapt this method for any of the other .well-known files or other small files that RFC authors request, but never delve into implementation. Or, of course, for error pages and the like.

F5 BIG-IP i4600

There are other ways of cracking this nut — a web server is an obvious one. The other method I considered was using Azure. It didn’t quite tick all the boxes for us, as we have a fair few email domains. There’s a good explanation of the Azure method here: Setting up MTA-STS using Azure Static Web Apps. It is cooler to be fair.

What is .well-known?

An increasing number of standards require us to serve small text files from a well-known URI (a “folder” starting with “/.well-known/”). The method is defined in RFC 8615 and a list is maintained by the Internet Assigned Numbers Authority (IANA). There are currently 58 of these.

What is MTA-STS?

SMTP Mail Transfer Agent — Strict Transport Security (MTA-STS) is a method for mail servers to declare their ability to use secure channels for mail. This is done using specific files on a server and specific DNS TXT records.

For details on how to set up MTA-STS, you can’t go far wrong following the UK’s National Cyber Security Centre’s advice here: Using MTA-STS to protect the privacy of your emails. I’ll try not to repeat too much of what they say, instead focusing on what they miss out with their comment that, “You will need to decide on a suitable method of hosting this MTA-STS policy file”.

Getting Started

For DNS, I’ll use yourcompany.com to refer to … erm … your company.

Reporting Records

You may as well start by creating the following TXT record in DNS:

_smtp._tls.yourcompany.com → TXT → v=TLSRPTv1;rua=tls-rua@someexternalserviceifyouuseit.com,tls-alerts@yourcompany.com

This causes mail providers to send any errors to those email addresses. Only the first address is guaranteed to be sent an email, but most providers seem to oblige. This will tell you which mail providers can’t read your mta-sts.txt file and why. They don’t always tell you very clearly. Microsoft kept giving us an “StsPolicyFetchError” until we realised that we needed to send a Content-Type “text/plain; charset=utf-8” in the response header … more on that later.

Create mta-sts.txt Files

This is as per RFC 8461 SMTP MTA Strict Transport Security (MTA-STS).

Create a text file with contents based on the below:

version: STSv1
mode: testing
mx: yourcompany.mail.protection.outlook.com
max_age: 86401

Breaking that down:

• There is only version STSv1
• The mode of testing means mail won’t be interrupted if you make a mistake
• If you use Microsoft M365, your MX record will look like the above and you probably use the same MX record for multiple email domains (we do) which is a time saver! To check the MX record, I’m a bit old school and would type nslookup at a command prompt and then set type=MX and then yourcompany.com. If you have multiple MX entries, put these on separate CRLF-separated lines or else Google gets upset.
• The max_age is 24 hours and 1 second. You want it short, but apparently less than 24 hours can get ignored

On the BIG-IP

Jump on to your BIG-IP LTM and:

• Create an iFile (System → File Management → iFile List) called mta-sts_YYMMDD (using the date as a serial number) and by selecting the test file you created above
• Create a label for this (Local Traffic → iRules → iFile List) called mta-sts by selecting the iFile created above
• Your mileage may vary, but you will need a public IP address that resolves to a Virtual Server (as it’s called on the BigIP) (Local Traffic → Virtual Servers) that calls an iRule. In fact, we used an existing Virtual Server and added to an existing iRule. The address must be accessible from anywhere in the world, even countries you’d prefer not to hear from as they use it to stop other people compromising your email.
• To the iRule add:

# Serve mta-sts records if applicable (.well-known/mta-sts.txt)
if { [HTTP::host] starts_with "mta-sts." } {
    HTTP::respond 200 -version 1.1 content [ifile get "mta-sts"] noserver Content-Type "text/plain; charset=utf-8"
    TCP::close
    return
}

There are a couple of important parts to the HTTP::respond line:

• HTTP::respond 200 — traditionally a load balancer balances load across servers, but it can send responses without pesky servers. You must return a 200, just in case you were thinking of anything else.
• -version 1.1 — use HTTP version 1.1 — the default is 1.0
• content [ifile get “mta-sts”] — this grabs the content of that text file you loaded earlier
• noserver — this removes the header value of Server: BigIP. It’s a bit of information leakage we don’t need. (I want people to read this blog post instead!)
• Content-Type “text/plain; charset=utf-8” — if you miss this, Microsoft and Mail.ru will give you an “StsPolicyFetchError” that will take two weeks of annoying Googling to still not give you the answer (on and off, admittedly). You can also use charset=us-ascii, but it seems a bit fussy to me! Google don’t care!

Add an SSL Cert

We were lucky in most cases as we already had a cert for *.yourcompany.com. Hopefully this is the case for you, but if not, you’ll need a cert for *.yourcompany.com or mta-sts.yourcompany.com. You could get a free Let’s Encrypt certificate. I’ve always wanted to use those in full-on production, but they’re only valid for 90 days so I’d need to automate it and then trust that the automation would work reliably. A wildcard DNS resolves any.number.of.subdomains.of.yourcompany.com. But a wildcard cert only works for the first level. Not sure if that’s for more money or for security reasons!

Add the cert to the BIG-IP (System → Certificate Management → Traffic Certificate Management → SSL Certificate List → Import) and then apply it to the virtual server (Local Traffic → Virtual Servers → Properties → add from those available under SSL Profile (Client)).

More DNS

You need to point mta-sts.yourcompany.com to the real-world IP address of your BIG-IP virtual server as an A record.

Test

Check it serves okay by browsing to: https://mta-sts.yourcompany.com/.well-known/mta-sts.txt

Implementation

We’re not there yet! No-one knows of our work!

Even More DNS

Add yet another DNS TXT record like this:

_mta-sts.yourcompany.com → TXT → v=STSv1; id=202207151630;

Ramp up the Mode

Leave it a couple of weeks and check in on your reporting records. We get a handy CSV of errors, but you may just have a load of emails at that address you specified in rua=mailto.

Assuming all is well, change the text file so that mode is set to enforce. Then import it as an iFile (System → File Management → iFile List) giving it a new name (new date) and change your label to point at that new iFile (Local Traffic → iRules → iFile List) from the handy drop-down list.

That changes the file, and you can test that it’s updated, but you MUST change the TXT record before email providers will know to re-read it, eg:

_mta-sts.yourcompany.com → v=STSv1; id=202207291630;

Ramp up the max_age

Again, leave it a couple of weeks and check the reporting for alerts.

If you’re happy, it is recommended that your max_age is set to “at least” 2 weeks. I set it to 1209601 seconds which is 1 fortnight and 1 second. Just to be sure!

And, once you’ve changed the file, you must change your DNS TXT record.

Next Steps

Given all the DNS changes required by MTA-STS, you may want a new career as a DNS administrator.

But, if you’re happy with email admin, you may want to check your DKIM, DMARC and SPF records. And if you have domains that you don’t want to use to send emails from, there are some tips here to stop other people using those domains and pretending to be you. The article is a bit public-sector based (it speaks of a Mail Check service that is UK public sector only), but it’s all good advice.

And the final point is to BIG-IP enthusiasts that this method can be used to serve any file, such as a .well-known file, or a Proxy Auto-Config (PAC) file, or an error page when none of the servers you’re load balancing across are working!