mail security and the dns
play

MAIL SECURITY AND THE DNS John Levine STANDCORE LLC ICANN 65 | - PowerPoint PPT Presentation

Jan 15, 2023 •535 likes •867 views

MAIL SECURITY AND THE DNS John Levine STANDCORE LLC ICANN 65 | Marrakech MAIL AND SMTP ARE VERY VERY OLD Message format from RFC 733 in 1977 SMTP from RFC 788 in 1981 Both pretty much the same today, with a lot of extensions DNS

  1. MAIL SECURITY AND THE DNS John Levine STANDCORE LLC ICANN 65 | Marrakech

  2. MAIL AND SMTP ARE VERY VERY OLD • Message format from RFC 733 in 1977 • SMTP from RFC 788 in 1981 • Both pretty much the same today, with a lot of extensions • DNS wasn’t invented until RFC 881/2/3 in 1983 • MX records for mail routing in RFC 974 in 1986 Mail security and the DNS | Standcore | ICANN 65 2

  3. INTERNET MAIL ARCHITECTURE Receiver Sender MTA MTA Sender Receiver MUA MUA Mail security and the DNS | Standcore | ICANN 65 3

  4. INTERNET MAIL TLAS SUBMI MSA User PC T Sender MTA MUA or webmai SMT l P User PC POP / IMAP Recipient MTA MUA or webmail Mail security and the DNS | Standcore | ICANN 65 4

  5. WHAT PROBLEM ARE WE SOLVING? • Spam started to be a problem in mid 1990s • Phish and malware in the 2000s • Identify unwanted mail by sender, malicious mail by content such as URLs • Spam filters are complex: today we only look at bits that use the DNS Mail security and the DNS | Standcore | ICANN 65 5

  6. SMTP ENVELOPE AND BODY connection from 203.0.113.1 220 mail1.example.com mh ESMTP HELO mailout.example.com 250 mail1.example.com MAIL FROM:<bob@example.com> or MAIL FROM:<> 250 2.1.0 Sender accepted. RCPT TO:<mary@example.net> 250 2.1.5 Recipient accepted. ... Mail security and the DNS | Standcore | ICANN 65 6

  7. SMTP ENVELOPE AND BODY DATA 354 End your message with a period on a line by itself. --- message header including To:, From:. Cc: --- --- and message body --- . 250 2.6.0 Accepted message qp 50475 bytes 976 QUIT 221 2.0.0 Good bye. Mail security and the DNS | Standcore | ICANN 65 7

  8. MX AND A/AAAA RECORDS TO FIND MAIL SERVERS To: bob@examp1e.com • Look up MX records examp1e.com MX 10 mx1.example.net • Look up A/AAAA records mx1.example.net A 192.0.2.1 mx1.example.net AAAA 2001:db8:42::a3:f • If no MX, fall back to A/AAAA • 30 years of backward compatibility Mail security and the DNS | Standcore | ICANN 65 8

  9. PTR VALIDATION OF SENDING IP ADDRESSES Receiver • Mail server gets connection from 203.0.113.1 MTA • Do rDNS lookup 1.113.0.203.in-addr.arpa PTR mailout.example.net • Then check forward lookup mailout.example.net A 203.0.113.1 • Do they match and look non-generic? • Matching forward/reverse says static allocation • Generic name says random residential user, e.g. cpe-74-66-241-88.nyc.res.rr.com Mail security and the DNS | Standcore | ICANN 65 9

  10. DNS BLACK/WHITELIST OF IPS • Mail server gets connection from 203.0.113.1 • Look up IP in DNSBLs configured in inbound MTA: 1.113.0.203.bl.badguys.net NXDOMAIN ☞ OK 1.113.0.203.bl.badguys.net A 127.0.0.5 ☞ uh oh • Low bits typically indicate why listed • Sometimes used to block outright, sometimes in spam scoring • DNS whitelists exist but aren’t very interesting Mail security and the DNS | Standcore | ICANN 65 10

  11. DNS BLACK/WHITELIST OF DOMAINS • Envelope or body URL domain name maybe.org • Look up IP in DNSBLs configured in inbound MTA: maybe.org.dbl.badguys.net NXDOMAIN ☞ OK maybe.org.dbl.badguys.net A 127.0.0.5 ☞ uh oh • Low bits typically indicate why listed • Newly registered, seen in phish, related to other malicious, ... • Envelope often used to block outright, body URL in spam scoring Mail security and the DNS | Standcore | ICANN 65 11

  12. SPF PATH VALIDATION HELO mailout.example.net MAIL FROM:<bob@example.com> • Check SPF record for sending or HELO domain example.com TXT “v=spf1 mx ip4:203.0.113.0/25 ~all” • No changes to mail sending • Complex spec, can say yes, no, or two kinds of in between Mail security and the DNS | Standcore | ICANN 65 12

  13. SPF PATH VALIDATION HELO mailout.example.net MAIL FROM:<bob@example.com> • Typically used in DMARC or to whitelist known senders • Can’t describe a lot of valid mail • Doesn’t mean the mail is good , only that it was sent by the purported envelope sender Mail security and the DNS | Standcore | ICANN 65 13

  14. DKIM MESSAGE CONTENT VALIDATION • Cryptographic signature of hashes of message headers and content • Validation key in the DNS DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=example.com; h=date:message-id:from:to:cc:subject:in-reply-to; s=k1906; bh=3MVSYjdcf7HbxwaOvclgeGwI+is5VbRZigtSsm/jiUU=; b=R6ZT1a9kbCXfBBCWH0KbozQBbxSrKFLVThI7tHm... k1906._domainkey.example.com TXT “v=DKIM1; h=sha256; p=MIHfMA0GCSqGSIb3DQEBA ...” Mail security and the DNS | Standcore | ICANN 65 14

  15. DKIM MESSAGE CONTENT VALIDATION • Recipient recomputes the hashes to see if the message is “the same” • If so, checks the signature against the DNS • If OK, it means the d= domain takes responsibility for the message • Still doesn’t mean the mail is good • Multiple signatures with different d= are common • Like SPF, used with DMARC and for local whitelisting • Works better with forwarding, but much more work than SPF • Breaks when forwards edit the message, e.g. mailing list • But forwarders should re-sign to take responsibility Mail security and the DNS | Standcore | ICANN 65 15

  16. DMARC SENDER POLICY • Publish sender policy for domain in the From header • From: Mr. Bob <bob@example.com> • ”Alignment” depends on SPF and DKIM • SPF: aligned if envelope has same domain and SPF says yes • DKIM: aligned if valid DKIM signature with d=example.com • If aligned, DMARC does nothing • But if not aligned ... Mail security and the DNS | Standcore | ICANN 65 16

  17. DMARC SENDER POLICY • From: Mr. Bob <bob@example.com> • _dmarc.example.com TXT “v=DMARC1; p=none; rua=mailto:dmarc-a@example.com; ruf=mailto:dmarc-f@example.com” • Policy advice to recipients on DMARC failure • None: deliver as normal • Quarantine: put in the spam folder • Reject: bounce back Mail security and the DNS | Standcore | ICANN 65 17

  18. DMARC SENDER POLICY • Policy advice to recipients on DMARC failure • None / quarantine / reject • Originally intended for phish targets like paypal.com • Repurposed when AOL and Yahoo had millions of address books stolen • Fails on a small fraction of high value mail, notably discussion mailing lists • Lots of nonsense about how DMARC unaligned is “wrong” Mail security and the DNS | Standcore | ICANN 65 18

  19. DMARC SENDER POLICY • _dmarc.example.com TXT “v=DMARC1; p=none; rua=mailto:dmarc-a@example.com; ruf=mailto:dmarc-f@example.com • Reporting via rua=<address> and ruf=<address> • rua: daily aggregate reports, fairly common • ruf: individual failure reports, fairly rare • Interesting stuff about your mail even if you state no policy Mail security and the DNS | Standcore | ICANN 65 19

  20. ARC POLICY CHAINING • Intended to undo DMARC damage to mailing lists and other forwarders • DKIM-like signatures showing chain of custody Mail security and the DNS | Standcore | ICANN 65 20

  21. ARC POLICY CHAINING ARC-Seal: i=1; a=rsa-sha256; cv=none; d=lists.iecc.com; s=9f5f.5d0bad5c.k1906; t=1561046364; b=E/sM30VYN6xDl1K0s8F2YWt5Yr0F0J0L== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=lists.iecc.com; h=from:date:message-id:to:content-type:subject:reply-to:sender; s=k1906; bh=BbD0NyCbReUbOnx=; b=X6P15BozQ2HFNVdi92DCDkz== ARC-Authentication-Results: i=1; iecc.com; arc=none; smtp.remote-ip=209.85.208.44; spf=pass spf.mailfrom=sam@them.net spf.helo=mail1.google.com; dmarc=pass header.from=them.net (p=none) Mail security and the DNS | Standcore | ICANN 65 21

  22. ARC POLICY CHAINING • Recipient can check chain of custody in mail from credible senders, e.g. mailing lists • Use chain info to do retroactive filtering • If senders are credible, why not just whitelist them? • Lists often validate only by From: address, forged spam leaks through • Relatively easy to detect using Authentication-Results in the chain • Sort of implemented at Google and VZ (Yahoo/AOL) Mail security and the DNS | Standcore | ICANN 65 22

  23. DANE TLSA SERVER CERTIFICATES • TLSA originally used to validate certificates on web servers • But can equally well validate certificates on anything Mail security and the DNS | Standcore | ICANN 65 23

  24. ARE YOU MY MAIL SERVER? 220 mail1.example.com mh ESMTP ehlo mailout.example.com 250-mail1.example.com 250-SMTPUTF8 250-8BITMIME 250-PIPELINING 250 STARTTLS STARTTLS 220 2.0.0 Ready to start TLS ... negotiate TLS session ... 220 mail1.example.com mh ESMTP TLS encrypted ehlo ... Mail security and the DNS | Standcore | ICANN 65 24

  25. ARE YOU MY MAIL SERVER? Sending Recipient MTA MTA Proxy? Mail security and the DNS | Standcore | ICANN 65 25

  26. ARE YOU MY MAIL SERVER? example.com MX 10 mail.example.com mail. Sending example. MTA com STARTTL proxy. S wtf Mail security and the DNS | Standcore | ICANN 65 26

  27. ARE YOU MY MAIL SERVER? • DNSSEC protects MX and A records • STARTTLS retrieves server’s certificate • DANE TLSA validates server’s certificate • If no match, don’t send the mail • I know this works • Because I messed up my TLSA and Comcast wouldn’t accept my mail Mail security and the DNS | Standcore | ICANN 65 27

  28. POSSIBLE FUTURE DIRECTIONS WITH DBOUND AND DMARC PSD • The Mozilla Public Suffix List is a horrible kludge • But it is very useful so we all use it • Cookie policy in browsers • CA’s signing *.example.com certificates • DMARC Organizational Domain Mail security and the DNS | Standcore | ICANN 65 28

Recommend

Chapter 5 Electronic Mail Security -Pretty Good Privacy (PGP) -S/MIME 1 Need for E-Mail

Chapter 5 Electronic Mail Security -Pretty Good Privacy (PGP) -S/MIME 1 Need for E-Mail

Chapter 5 Electronic Mail Security -Pretty Good Privacy (PGP) -S/MIME 1 Need for E-Mail Security E-mail is necessary for E-Commerce Daily communication E-Mail is also very public, allowing for access at each point from the

1.1k views • 23 slides
A (re)introduction to Spring Security Agenda Before Spring Security: Acegi security

A (re)introduction to Spring Security Agenda Before Spring Security: Acegi security

A (re)introduction to Spring Security Agenda Before Spring Security: Acegi security Introducing Spring Security View layer security Whats coming in Spring Security 3 E-mail: craig@habuma.com Blog: http://www.springloaded.info

452 views • 19 slides
Electronic Mail Security Slide 1 Characteristics File transfer, except... sender, receiver

Electronic Mail Security Slide 1 Characteristics File transfer, except... sender, receiver

email 1 Electronic Mail Security Slide 1 Characteristics File transfer, except... sender, receiver may not be present at the same time diversity (character sets, headers, ...) not a transparent channel (8 bit data, CRLF) often

699 views • 16 slides
Electronic Mail Security December 7, 2000 email 2 Characteristics File transfer, except. . .

Electronic Mail Security December 7, 2000 email 2 Characteristics File transfer, except. . .

email 1 Electronic Mail Security December 7, 2000 email 2 Characteristics File transfer, except. . . sender, receiver may not be present at the same time diversity (character sets, headers, . . . ) not a transparent channel (8 bit

677 views • 32 slides
Secure Sockets Layer Transport Layer Security BEAST Attack Dan Luedtke &lt;mail@danrl.de&gt;

Secure Sockets Layer Transport Layer Security BEAST Attack Dan Luedtke &lt;mail@danrl.de&gt;

Secure Sockets Layer Transport Layer Security BEAST Attack Dan Luedtke &lt;mail@danrl.de&gt; Wed Apr 18, 2012 University of the German Federal Armed Forces, Munich Slide 1 Outline History Design Goals SSL/TLS Stack

439 views • 15 slides
Is DANE the Future of Secure Mail? Evaluation of DNS-based Authentication of Named Entities in

Is DANE the Future of Secure Mail? Evaluation of DNS-based Authentication of Named Entities in

Chair for Network Architectures and Services Technische Universit at M unchen Is DANE the Future of Secure Mail? Evaluation of DNS-based Authentication of Named Entities in the Context of Electronic Mail Security Stefan Fochler April 7,

987 views • 57 slides
Security DevOps staying secure in agile projects Christian Schneider @cschneider4711 mail@

Security DevOps staying secure in agile projects Christian Schneider @cschneider4711 mail@

Security DevOps staying secure in agile projects Christian Schneider @cschneider4711 mail@ www. `whoami` Christian-Schneider.net Software Developer, Whitehat Hacker &amp; Trainer Freelancer since 1997 Focus on JavaEE &amp;

773 views • 59 slides
VOTE B BY MAIL IL #VBMHawaii What i is Vote B By M Mail? Act 136, SLH 2019 requires all

VOTE B BY MAIL IL #VBMHawaii What i is Vote B By M Mail? Act 136, SLH 2019 requires all

VOTE B BY MAIL IL #VBMHawaii What i is Vote B By M Mail? Act 136, SLH 2019 requires all elections in Hawaii to be conducted by mail starting in 2020. Ballots packages will be mailed and received by all registered voters approx.

780 views • 13 slides
Introduction Partnership perspective Social capital Relationship building Program

Introduction Partnership perspective Social capital Relationship building Program

Emergency Management and Homeland Security Programs at UCF Partnership Perspective Dr. Naim Kapucu Department of Public Administration, University of Central Florida Programs Coordinator E mail: nkapucu@mail.ucf.edu Phone: (407) 823-6096

436 views • 9 slides
Foundations of Network and Foundations of Network and Computer Security Computer Security J ohn

Foundations of Network and Foundations of Network and Computer Security Computer Security J ohn

Foundations of Network and Foundations of Network and Computer Security Computer Security J ohn Black J Lecture #3 Aug 30 st 2005 CSCI 6268/TLEN 5831, Fall 2005 Assignment #0 Please add yourself to the class mailing list Send mail

379 views • 35 slides
For ad hoc print and mail consolidation Receive, print and mail in one click! On average, mail

For ad hoc print and mail consolidation Receive, print and mail in one click! On average, mail

For ad hoc print and mail consolidation Receive, print and mail in one click! On average, mail volume has declined by 20% worldwide , over a period of 5 years.* *Source: PwC, 2013 Print facilities are There has been a decrease in print

269 views • 22 slides
Sensor Security: A Kaleidoscopic View Ren Struik (Certicom Research) E-mail:

Sensor Security: A Kaleidoscopic View Ren Struik (Certicom Research) E-mail:

July 2, 2009 RFIDSec 2009 Sensor Security: A Kaleidoscopic View Ren Struik (Certicom Research) E-mail: rstruik@certicom.com Certicom Corp. is a wholly owned subsidiary of Research in Motion, Ltd. Slide 1 Ren Struik (Certicom Research)

992 views • 73 slides
guidance for correct mail presentation How to get it right A Royal Mail guide to the

guidance for correct mail presentation How to get it right A Royal Mail guide to the

guidance for correct mail presentation How to get it right A Royal Mail guide to the presentation of mail. Use it for information and advice about: 1 Envelope layout 2 Mailpiece specification 3 Window envelopes 4 Addressing 5 Clear zones

397 views • 17 slides
Opportunistic SMTP Security Wes Hardaker Parsons &lt;wes.hardaker@parsons.com&gt; Overview

Opportunistic SMTP Security Wes Hardaker Parsons &lt;wes.hardaker@parsons.com&gt; Overview

Opportunistic SMTP Security Wes Hardaker Parsons &lt;wes.hardaker@parsons.com&gt; Overview E-Mail Overview Where E-Mail Can Go Wrong Securing E-Mail Requires DNSSEC Securing SMTP Using DNSSEC and DANE 2 wes.hardaker@parsons.com

678 views • 31 slides
The Security Implications of Climate Change: Challenges for Maritime Security Christian Webersik

The Security Implications of Climate Change: Challenges for Maritime Security Christian Webersik

The Security Implications of Climate Change: Challenges for Maritime Security Christian Webersik Professor, Deputy Director Centre for Integrated Emergency Management (CIEM) University of Agder, Norway e-mail: christian.webersik@uia.no

582 views • 13 slides
USPS Engaging Your Audience With Direct Mail Agenda Statistics Informed Delivery

USPS Engaging Your Audience With Direct Mail Agenda Statistics Informed Delivery

USPS Engaging Your Audience With Direct Mail Agenda Statistics Informed Delivery Share Mail Irresistible Mail Next Steps Mail Moment of direct mail recipients 82 % check their mailbox at the first opportunity. sort

512 views • 15 slides
Mail Merge Internals Eilidh McAdam Mail Merge Mail merge fjlls a template from a

Mail Merge Internals Eilidh McAdam Mail Merge Mail merge fjlls a template from a

Mail Merge Internals Eilidh McAdam Mail Merge Mail merge fjlls a template from a datasource, producing a single or separate documents Datasource includes databases and spreadsheets Also used to generate labels and envelopes

345 views • 17 slides
DNSSEC, DANE and SMTP Security A Mid-level Overview Wes Hardaker Parsons Downgrade Resistant,

DNSSEC, DANE and SMTP Security A Mid-level Overview Wes Hardaker Parsons Downgrade Resistant,

DNSSEC, DANE and SMTP Security A Mid-level Overview Wes Hardaker Parsons Downgrade Resistant, Opportunistic Security for Server To Server E-Mail Delivery Overview Server-to-Server E-Mail background SMTP Vulnerabilities DANE/SMTP to

360 views • 16 slides
Logistics E-mail UML 2 Should have received mail from me. If not: Check LDAP

Logistics E-mail UML 2 Should have received mail from me. If not: Check LDAP

Logistics E-mail UML 2 Should have received mail from me. If not: Check LDAP entry Indicate on attendance sheet Announcements Plan for today Its Co-op time Building a software system Orientation

475 views • 3 slides
E-Mail Transition May 4, 2010 E-Mail is Changing We are moving to two new e-mail systems.

E-Mail Transition May 4, 2010 E-Mail is Changing We are moving to two new e-mail systems.

E-Mail Transition May 4, 2010 E-Mail is Changing We are moving to two new e-mail systems. Students are migrating to Microsoft Live, branded as TigerMail Live, hosted off- campus by Microsoft. Employees will be migrating

418 views • 12 slides
CS527 Software Security Web Security Mathias Payer Purdue University, Spring 2018 Mathias Payer

CS527 Software Security Web Security Mathias Payer Purdue University, Spring 2018 Mathias Payer

CS527 Software Security Web Security Mathias Payer Purdue University, Spring 2018 Mathias Payer CS527 Software Security Daemons / Services / Servers A daemon is a long running service that serves outside requests. A web server, a mail

503 views • 31 slides
Electronic Mail: SMTP &amp; % smtp1.tex February 3, 1998 ' $ AIS 2 Electronic mail

Electronic Mail: SMTP &amp; % smtp1.tex February 3, 1998 ' $ AIS 2 Electronic mail

' $ AIS 1 Electronic Mail: SMTP &amp; % smtp1.tex February 3, 1998 ' $ AIS 2 Electronic mail Asynchronous exchange of data sender does not know when (if) data reaches receiver client mail message user transfer agent (MUA)

280 views • 14 slides
PGP from: Cryptography and Network Security Fifth Edition by William Stallings Lecture slides by

PGP from: Cryptography and Network Security Fifth Edition by William Stallings Lecture slides by

PGP from: Cryptography and Network Security Fifth Edition by William Stallings Lecture slides by Lawrie Brown (*) (*) adjusted by Fabrizio d'Amore Electronic Mail Security Despite the refusal of VADM Poindexter and LtCol North to appear, the

471 views • 31 slides
Branded Commercial Mail Storefront for Wh Who is s PMSI SI? 36 year old print and mail

Branded Commercial Mail Storefront for Wh Who is s PMSI SI? 36 year old print and mail

Branded Commercial Mail Storefront for Wh Who is s PMSI SI? 36 year old print and mail communications company providing direct mail advertising and letter shop services, commercial printing including on-demand digital printing &amp;

392 views • 9 slides

More recommend