dane secured e mail demonstration wes hardaker parsons
play

DANE Secured E-Mail Demonstration Wes Hardaker Parsons - PowerPoint PPT Presentation

Jun 13, 2023 •643 likes •910 views

DANE Secured E-Mail Demonstration Wes Hardaker Parsons <wes.hardaker@parsons.com> Overview My Background In scope topics Securing E-Mail Requirements Implementing Each Requirement 2 wes.hardaker@parsons.com My Background

  1. DANE Secured E-Mail Demonstration Wes Hardaker Parsons <wes.hardaker@parsons.com>

  2. Overview ● My Background ● In scope topics ● Securing E-Mail Requirements ● Implementing Each Requirement 2 wes.hardaker@parsons.com

  3. My Background ● Part of the Network Security Research Group – A small division within PARSONS – Experts on and evangalists for security protocols ● My DNS history – Multiple DNS RFCs: ● 4509, 6168, 7477, 7671, 7672 – DNSSEC-Tools development DNS-Sentinel – DNS-Sentinel ● DNS/DNSSEC monitoring service DNSSEC-Tools 3 wes.hardaker@parsons.com

  4. What I am covering ● How to set up secure E-Mail with DANE What I am not covering ● How DNSSEC and DANE work – See my slides from ICANN 53 / Buenos Aires – My YouTube “Tutorial on DANE and DNSSEC” video: ● https://www.youtube.com/watch?v=BhvU19RJrPY ● Securing E-Mail clients to their ISP – IE: We're not discussing POP, IMAP, etc. – Today: server to server (ISP to ISP) 4 wes.hardaker@parsons.com

  5. Server-to-Server Email Server-to-Server Email Simple Mail Simple Mail Transport Protocol Transport Protocol (SMTP) (SMTP) 2: Alice's ISP 2: Alice's ISP forwards the forwards the Mail Transfer message to message to Mail Transfer Agent Bob's ISP Bob's ISP Agent 1: Alice's 3: Bob's MUA Mail User Agent (MUA) downloads sends the email the message via to her ISP We're talking about IMAP or POP this today Largely secured today through Manual configuration parameters 5 wes.hardaker@parsons.com

  6. Requirements for Receiving Secure E-Mail 6 wes.hardaker@parsons.com

  7. Receiving Secure E-Mail ● Be found by the distant server DNSSEC ● Accept an authenticated connection DANE ● Accept an encrypted connection DANE ● Your DNS zone must be DNSSEC signed ● Your DNS zone must include a DANE record 7 wes.hardaker@parsons.com

  8. Receiving Secure Mail with Postfix (regardless of DANE usage) ● Create a certificate to use: openssl req -new -newkey rsa:2048 -days 365 -nodes -x509 -keyout server.pem -out server.pem ● Tell postfix to use it: smtpd_tls_key_file = /etc/postfix/server.pem smtpd_tls_cert_file = /etc/postfix/server.pem smtpd_tls_security_level = may 8 wes.hardaker@parsons.com

  9. DNS Records for our test zone ● In the DNSSEC-Tools.org zone, I created: – dane.dnssec-tools.org: dane IN 60 A 192.0.2.1 ● dane IN 60 MX 10 dane.dnssec-tools.org. ● _25._tcp.dane IN 60 TLSA 3 1 1 ● e8d145d7df0b269d19a5107e489419e0445df7d3c256e0ec24a2a23 ff25d249c – And DNSSEC signed it! dane.dnssec-tools.org. 60 IN RRSIG A ● 5 3 60 20151113185506 20151014175506 3147 dnssec-tools.org. UY3+UB7GyO/eaNsf5fFTbTBx9G6R...... 9 wes.hardaker@parsons.com

  10. CRITICAL ● When you update your mail server certificate – You must update your TLSA record to match! ● You must continue to resign your zone ● You should monitor your services: – DNS/DNSSEC health checks – DANE records match the mail server certificate – Have it yell loudly when broken!! 10 wes.hardaker@parsons.com

  11. Test It! ● https://dane.sys4.de/ – A fantastic SMTP/DANE/DNSSEC testing utility – Checks if: ● Your zone is properly signed ● Your zone contains TLSA records ● Your SMTP TLS certificate matches your DANE records ● For each server! 11 wes.hardaker@parsons.com

  12. Requirements for Sending Secure E-Mail 12 wes.hardaker@parsons.com

  13. Sending Secure E-MAIL Requirements ● DNS Software that verifies DNSSEC records – EVERY lookup from start to finish must be verified – MX records – Address records – DNSSEC signatures and chain records ● Mail server software that verifies DANE records – Collects DNSSEC validated TLSA records – Certificates must match these TLSA records 13 wes.hardaker@parsons.com

  14. Configuring Postfix ● Needed deployment architecture: – DNSSEC Validating Resolver – Postifx 2.11 or better – Running on the same host ● Needed configuration: smtp_tls_security_level = dane smtp_dns_support_level = dnssec 14 wes.hardaker@parsons.com

  15. Demonstration ● Sending via an insecure mail server ● Sending to a DANE secured address ● Sending to a DANE failing address ● Sending to a domain with two MX records ● (with the first being broken) 15 wes.hardaker@parsons.com

  16. Demonstration Test #1 org ● No security turned on dnssec-tools.org ● Plain text transfer ● An undetectable man-in-the-middle possible MX NS A dane Deliver Where should I send mail? this for me! To this guy! dnssec-tools.org DNS Server Mail Transfer Agent Here's some mail My Laptop dane.dnssec-tools.org SMTP Server 16 wes.hardaker@parsons.com

  17. Demonstration Test #2 org ● Using a validating resolver dnssec-tools ● Authenticated and Encrypted E-Mail! ● No chance of a man-in-the-middle MX NS A TLSA dane Deliver Where should I send mail? this for me! To this guy! With this X.509 dnssec-tools.org DNS Server Mail Transfer Agent Here's some mail My Laptop dane.dnssec-tools.org SMTP Server 17 wes.hardaker@parsons.com

  18. Demonstration Test #3 org ● A bad guy dnssec-tools ● Simulated by a bad record! ● (could be a mistake! Be careful!) MX NS A TLSA dane-bad Deliver Where should I send mail? this for me! To this guy! With this X.509 dnssec-tools.org DNS Server Mail Transfer Agent Here's some mail My Laptop dane.dnssec-tools.org SMTP Server 18 wes.hardaker@parsons.com

  19. Demonstration Test #4 org ● Two MX records dnssec-tools ● The first one should fail ● The second should succeed NS dane-bad2 srv1 srv2 Deliver Where should I send mail? this for me! dnssec-tools.org To this guy! DNS Server With this X.509 Or this guy! Mail Transfer With this X.509 Agent My Laptop srv2.dnssec-tools.org srv1.dnssec-tools.org SMTP Server SMTP Server 19 wes.hardaker@parsons.com

  20. Come On Out And Play 28,000 Domains with DANE/SMTP enabled! And the RFC has only been out for a week! 20 wes.hardaker@parsons.com

  21. Questions? ICANN 53 Buenos Aires 21 wes.hardaker@parsons.com

  22. Extra Slides 22 wes.hardaker@parsons.com

  23. Available Software ● DNSSEC Compliant Name Servers – Most recent releases of just about everything – (no excuses here) ● Mail Software – Postfix 2.11 or higher – EXIM 4.85 or higher 23 wes.hardaker@parsons.com

  24. Try looking up the data! ● Using a DNSSEC compliant resolver: – dig dane.dnssec-tools.org MX – dig dane.dnssec-tools.org A – dig _25._tcp.dane.dnssec-tools.org TLSA – dig +dnssec dane.dnssec-tools.org MX 24 wes.hardaker@parsons.com

  25. Resources ● RFC6698 DANE ● RFC7218 DANE Acronyms ● RFC7672 SMTP ● RFC7671 DANE Guidance ● http://www.dnssec-tools.org/ ● http://postfix.org/ 25 wes.hardaker@parsons.com

Recommend

Opportunistic SMTP Security Wes Hardaker Parsons &lt;wes.hardaker@parsons.com&gt; Overview

Opportunistic SMTP Security Wes Hardaker Parsons &lt;wes.hardaker@parsons.com&gt; Overview

Opportunistic SMTP Security Wes Hardaker Parsons &lt;wes.hardaker@parsons.com&gt; Overview E-Mail Overview Where E-Mail Can Go Wrong Securing E-Mail Requires DNSSEC Securing SMTP Using DNSSEC and DANE 2 wes.hardaker@parsons.com

678 views • 31 slides
DNSSEC, DANE and SMTP Security A Mid-level Overview Wes Hardaker Parsons Downgrade Resistant,

DNSSEC, DANE and SMTP Security A Mid-level Overview Wes Hardaker Parsons Downgrade Resistant,

DNSSEC, DANE and SMTP Security A Mid-level Overview Wes Hardaker Parsons Downgrade Resistant, Opportunistic Security for Server To Server E-Mail Delivery Overview Server-to-Server E-Mail background SMTP Vulnerabilities DANE/SMTP to

360 views • 16 slides
Sending E-Mail Today MX Priority #1 SMTP Exchange

Sending E-Mail Today MX Priority #1 SMTP Exchange

DANE and SMTP: TLS Protec4on for SMTP Using DANE and DNSSEC Russ Mundy &amp; Wes Hardaker Parsons &lt;Russ.Mundy@parsons.com&gt; &lt;mundy@4slabs.com&gt; 7/17/13

481 views • 9 slides
EOS WG proposal Wes Hardaker &lt;hardaker@tislabs.com&gt; draft-hardaker-eos-oops-00.txt

EOS WG proposal Wes Hardaker &lt;hardaker@tislabs.com&gt; draft-hardaker-eos-oops-00.txt

EOS WG proposal Wes Hardaker &lt;hardaker@tislabs.com&gt; draft-hardaker-eos-oops-00.txt 2002.Jul.18 Agenda Overview: motivations and PDU definitions Examples Benifits Known Issues and Questions Motivations Solve the problems recently

438 views • 21 slides
Have a Strategy in Place For Unexpected DNSSEC Events Wes Hardaker

Have a Strategy in Place For Unexpected DNSSEC Events Wes Hardaker

Have a Strategy in Place For Unexpected DNSSEC Events Wes Hardaker &lt;wes.hardaker@parsons.com&gt; Overview Your Operational Panic Binder DNS Failure Strategies DNSSEC Failure Strategies Documenting Lessons Learned Your

356 views • 18 slides
EOS OOPS SMIng Issues Wes Hardaker &lt;hardaker@tislabs.com&gt;

EOS OOPS SMIng Issues Wes Hardaker &lt;hardaker@tislabs.com&gt;

EOS OOPS SMIng Issues Wes Hardaker &lt;hardaker@tislabs.com&gt; draft-hardaker-eos-oops-02pre.txt 2002.Nov.20 Overview Indexing issues External augmentations to structures/data How is data expected to be accessed? Search examples Upfront

397 views • 8 slides
DNS and DNSSEC Management and Monitoring Changes Required During A Transition To DNSSEC Wes

DNS and DNSSEC Management and Monitoring Changes Required During A Transition To DNSSEC Wes

DNS and DNSSEC Management and Monitoring Changes Required During A Transition To DNSSEC Wes Hardaker &lt;wes.hardaker@parsons.com&gt; Overview Business Model Changes Relationship Requirements Relationship with your DNS parent

407 views • 25 slides
Is DANE the Future of Secure Mail? Evaluation of DNS-based Authentication of Named Entities in

Is DANE the Future of Secure Mail? Evaluation of DNS-based Authentication of Named Entities in

Chair for Network Architectures and Services Technische Universit at M unchen Is DANE the Future of Secure Mail? Evaluation of DNS-based Authentication of Named Entities in the Context of Electronic Mail Security Stefan Fochler April 7,

987 views • 57 slides
Netconf Protocol: Security Considerations Wes Hardaker &lt;hardaker@tislabs.com&gt; 2004.Aug.05

Netconf Protocol: Security Considerations Wes Hardaker &lt;hardaker@tislabs.com&gt; 2004.Aug.05

Netconf Protocol: Security Considerations Wes Hardaker &lt;hardaker@tislabs.com&gt; 2004.Aug.05 Netconf Authentication and Access Control There is inherent access control now: The authentication process should result in an entity whose

373 views • 12 slides
DANE COUNTY JAIL UPDATE STUDY GOING FROM THIS: TO THIS: Presentation to The Dane County Public

DANE COUNTY JAIL UPDATE STUDY GOING FROM THIS: TO THIS: Presentation to The Dane County Public

DANE COUNTY JAIL UPDATE STUDY GOING FROM THIS: TO THIS: Presentation to The Dane County Public Protection &amp; Judiciary Committee INTRODUCTIONS David Way Curtiss Pulitzer Patrick Jablonski Eric Lawson Jan Horsfall OVERVIEW OF THE REPORT

583 views • 57 slides
Dane Bank Consultation 8 th November 2018 The Aim of the Meeting To find out more about Dane

Dane Bank Consultation 8 th November 2018 The Aim of the Meeting To find out more about Dane

Dane Bank Consultation 8 th November 2018 The Aim of the Meeting To find out more about Dane Bank s reasons for considering conversion to Academy Status Opportunity for governors to find out more about how parents and carers feel

562 views • 35 slides
Secured Mortgage Income Fund Are your investments secured and predictable? Fund Mandate u To

Secured Mortgage Income Fund Are your investments secured and predictable? Fund Mandate u To

Secured Mortgage Income Fund Are your investments secured and predictable? Fund Mandate u To provide investors with consistent monthly income secured by real property mortgages that are prudently written to safeguard capital. u Statesman Capital

572 views • 20 slides
DANE COUNTY JAIL UPDATE STUDY Presentation to the Dane County Board June 15, 2017 INTROD

DANE COUNTY JAIL UPDATE STUDY Presentation to the Dane County Board June 15, 2017 INTROD

DANE COUNTY JAIL UPDATE STUDY Presentation to the Dane County Board June 15, 2017 INTROD ODUCTION ONS Curtiss Pulitzer Patrick David Way Jan Horsfall Project Justice Jablonski, PhD Architect Manager Specialist Statistician

856 views • 57 slides
DANE COUNTY JAIL UPDATE STUDY- OPTION 3 Presen entation t n to Dane e Coun unty P Publ blic

DANE COUNTY JAIL UPDATE STUDY- OPTION 3 Presen entation t n to Dane e Coun unty P Publ blic

DANE COUNTY JAIL UPDATE STUDY- OPTION 3 Presen entation t n to Dane e Coun unty P Publ blic c Protect ection &amp; Judici ciary Committee ee June 13, 2017 INTROD ODUCTION ONS Curtiss Pulitzer Cheryl Gallant David Way Jan Horsfall

440 views • 41 slides
Lessons for Secured Creditors Guidance for Secured Creditors on Lien Ride-Throughs After In re N.

Lessons for Secured Creditors Guidance for Secured Creditors on Lien Ride-Throughs After In re N.

Presenting a live 90-minute webinar with interactive Q&amp;A Lien Stripping in Chapter 11 Bankruptcy Cases: Lessons for Secured Creditors Guidance for Secured Creditors on Lien Ride-Throughs After In re N. New Eng. Tel. Operations WEDNESDAY,

510 views • 47 slides
UNDERSTANDING UNITED STATES IMMIGRATION LAWS Paul Parsons Paul Parsons, PC 704 Rio Grande

UNDERSTANDING UNITED STATES IMMIGRATION LAWS Paul Parsons Paul Parsons, PC 704 Rio Grande

2017 UT System Legal Conference UNDERSTANDING UNITED STATES IMMIGRATION LAWS Paul Parsons Paul Parsons, PC 704 Rio Grande Austin, TX 78701 Telephone: (512) 477-7887 www.immigrate-usa.com parsons@immigrate-usa.com UNDERSTANDING UNITED

623 views • 25 slides
Advanced Git DAVID PARSONS 1 Reminders DAVID PARSONS ADVANCED GIT 2 Generali(es DAVID

Advanced Git DAVID PARSONS 1 Reminders DAVID PARSONS ADVANCED GIT 2 Generali(es DAVID

Advanced Git DAVID PARSONS 1 Reminders DAVID PARSONS ADVANCED GIT 2 Generali(es DAVID PARSONS - ADVANCED GIT 3 Two fundamental rules ! Commit o5en Keep commits small and commit together only related changes (commit = minimal

1.04k views • 100 slides
Dane County Council on Climate Change Buildings Working Group recommendation May 8, 2018 Dane

Dane County Council on Climate Change Buildings Working Group recommendation May 8, 2018 Dane

Dane County Council on Climate Change Buildings Working Group recommendation May 8, 2018 Dane County OECC Buildings Working Group National talent local commitment to place Technical rigor Market alignment Deeply

442 views • 23 slides
WITH VERFPLOETER WOUTER B. DE VRIES , RICARDO DE O. SCHMIDT, WES HARDAKER, JOHN HEIDEMANN,

WITH VERFPLOETER WOUTER B. DE VRIES , RICARDO DE O. SCHMIDT, WES HARDAKER, JOHN HEIDEMANN,

BROAD AND LOAD-AWARE ANYCAST MAPPING WITH VERFPLOETER WOUTER B. DE VRIES , RICARDO DE O. SCHMIDT, WES HARDAKER, JOHN HEIDEMANN, PIETER-TJERK DE BOER AND AIKO PRAS London - November 3, 2017 ACM Internet Measurement Conference 2017 INTRODUCTION

437 views • 41 slides
CLEANTECH DEMONSTRATION Program Addressing a Critical Gap Growth, #, $ Demonstration Program

CLEANTECH DEMONSTRATION Program Addressing a Critical Gap Growth, #, $ Demonstration Program

Green &amp; Digital Demonstration CLEANTECH DEMONSTRATION Program Addressing a Critical Gap Growth, #, $ Demonstration Program Globalization Commercialization Demonstration Acceleration Incubation Ideation Time The Vision Next

490 views • 14 slides
EWR Terminal One Redevelopment Program TUTOR PERINI/PARSONS, JV 1 Overview of Tutor

EWR Terminal One Redevelopment Program TUTOR PERINI/PARSONS, JV 1 Overview of Tutor

NEWARK LIBERTY INTERNATIONAL AIRPORT EWR Terminal One Redevelopment Program TUTOR PERINI/PARSONS, JV 1 Overview of Tutor Perini/Parsons, JV Purpose of The MWBE Forum Tutor Perini/Parsons, JV, STV and Grimshaw want to continue building

744 views • 53 slides
Research Project 1: Implementing DANE Pieter Lexis System and Network Engineering Wed, Feb 8

Research Project 1: Implementing DANE Pieter Lexis System and Network Engineering Wed, Feb 8

Research Project 1: Implementing DANE Pieter Lexis System and Network Engineering Wed, Feb 8 2012 1 of 21 Table of contents Basics DNS and DNSSEC PKIX and trust DANE Research Swede Features Reactions Tests and results Conclusion 2 of

841 views • 24 slides
INTRODUCTION TO GIT DAVID PARSONS 1 Source Code Management Tools DAVID PARSONS - INTRODUCTION

INTRODUCTION TO GIT DAVID PARSONS 1 Source Code Management Tools DAVID PARSONS - INTRODUCTION

INTRODUCTION TO GIT DAVID PARSONS 1 Source Code Management Tools DAVID PARSONS - INTRODUCTION TO GIT DAVID PARSONS - INTRODUCTION TO GIT 2 Source code managers (scm) a.k.a. version control systems (vcs) Allow for the complete

1.83k views • 123 slides
Evolutionary Architectures @neal4d nealford.com with Rebecca Parsons &amp; Pat Kua 1 Rebecca

Evolutionary Architectures @neal4d nealford.com with Rebecca Parsons &amp; Pat Kua 1 Rebecca

Evolutionary Architectures @neal4d nealford.com with Rebecca Parsons &amp; Pat Kua 1 Rebecca Parsons Pat Kua Neal Ford Photos by Martin Fowler: http://martinfowler.com/albums/ThoughtWorkers/ 2 3 3 1 Architecture is the decisions that

1.32k views • 120 slides

More recommend