Technical Deep-Dive: Winding Down the STARTTLS Policy List

This is a technical guide for administrators affected by the STARTTLS Everywhere project. Check out our overview post of the project!

The STARTTLS policy list started off as a mechanism for mailservers to learn TLS information about other servers from EFF’s perspective. Since MTA-STS was launched, it has evolved into a mechanism to secure the initial MTA-STS lookup so that email operators can know when particular providers insist on secure delivery. Although we have had lots of success getting individual mailserver operators to improve their security by advertising their TLS information on the list, there appear to be few mailservers using the list to validate others.

We’re continuing to promote more scalable ways for securing your mailserver, like MTA-STS and DANE. For the time being, here are some guidelines if your mailserver is using the STARTTLS policy list for security.

What if My Mailserver Is on the List?

If you are not already, we highly recommend using MTA-STS or DANE (or both!) to advertise your TLS information. We will also continue to pull updates from MTA-STS observations to update the list for domains that are currently loaded, but entries that were added manually can’t be changed unless your server deploys MTA-STS. If you are queued to be added to the list, your domain will still be added. Mailserver operators should have also received an email with more details– if you haven’t, feel free to ping starttls-policy@eff.org.

What if I’m Using the List to Validate Others?

If you’re using our Python plugin to generate security policies for Postfix, we recommend additionally using MTA-STS or DANE to validate others’ security policies. The list will continue to work, and existing entries will continue to be updated for the foreseeable future, but we won’t be adding new domains to the list.

How Do I Adopt MTA-STS?

To advertise your mailserver’s TLS information over MTA-STS, there are two steps:

  • Indicate you support MTA-STS over DNS.
  • Advertise your server’s TLS information over HTTPS.

To validate MTA-STS, there is a community-developed Postfix plugin that can help you secure your sent emails.

How Do I Adopt DANE?

To advertise your mailserver’s TLS information over DANE, your domain must first support DNSSEC–you will need to check this with your domain registrar. If you are using a DNS provider, you can check whether they automatically support DNSSEC.

Once you have verified DNSSEC support, this guide can help you get started with using Let’s Encrypt certificates with DANE. Most open-source mailservers, including Postfix and Exim, can be configured to validate DANE.

https://www.eff.org/deeplinks/2020/04/technical-deep-dive-winding-down-starttls-policy-list