MIT Mail System

1
MIT Mail System
Security Issues 1 July 2003
2
Agenda

• Introduction to the mail system
• Authentication
• Virus Filtering

3
The Mail System
MIT Users
Outgoing
Mailhub
Post Office
Other MIT Mailers
DMZ (MX mit.edu)
Internet
4
The Mail System Acronymified
MUA/MSA MAA
MTA
MTA
MTA/MDA
Other MIT MTA
MTA
MUA MAIL USER AGENT MSA MAIL SUBMISSION
AGENT MTA MAIL TRANSFER AGENT MDA MAIL DELIVERY
AGENT MAA MAIL ACCESS AGENT
Internet MTA
5
SMTP Authentication

• MIT mail relays abused by spammers
• Outgoing is a quasi-open relay
• Need to further tighten outgoing to stop this
• The answer is SMTP authentication
• Only authorized users should be allowed to be an
  MSA and all MTAs should not permit open relaying

6
SMTP Authentication (2)

• Benefits
• Reduction in mail abuse
• Protected transfer of email messages
• Gets around ISPs who filter normal smtp traffic
• Costs
• Additional complexity in configuration
• Though not much
• Older applications will need updating
• System-gtsystem mail will require more work

7
SMTP Authentication (3)

• Secure transport (encryption)
• Authentication

8
SMTP Secure Transport

• The great thing about standards is that there are
  so many to choose from
• SMTPS
• Tunnels SMTP within secure transport (SSL)
• Supported by some clients such as outlook,
  entourage and Apple Mail
• SMTP/TLS
• RFC 3207
• Negotiates secure transport within SMTP (port 25)
• Supported by some clients such as eudora 5.1 and
  Apple Mail
• The moral of the story is switch to a mac

9
Ports For Every Harbor

• SMTP (25)
• Traditional standard for mail transport and
  submission
• IETF standards include STARTTLS
• SMTPS (465)
• Intended for SMTP over SSL
• Revoked by the IETF
• Some apps still use this
• SMTP/TLS (587)
• submission (MSA) port
• Deprecated in favor of 25
• ISPs block 25 so this doesnt solve the roaming
  problem and ISPs dont allow you to maintain
  your own identity
• It may be that the SMTP transport will
  self-destruct by failing to provide connectivity
  sufficient to be useful
• Bob Frankston

10
Our Goals

• Secure transport for all MSA transactions
• Require authentication
• Support popular applications such as
• Outlook
• Eudora
• Entourage
• Apple Mail
• Netscape
• MIT users to be able to roam about Interland
  without
• Loss of identity
• Difficult reconfiguration
• Special network setups

11
Our Solution

• Support SMTPS on 465
• This may whither away
• Support STARTTLS on 587
• STARTTLS is a current standard
• 587, although deprecated, is in widespread use as
  the MSA port
• We wont permit STARTTLS to negotiate insecure
  connections
• Deprecate port 25

12
Future Issues

• This area is a mess
• Applications vary
• Spammers witch hunts for open relays
• Changing standards
• ISP filtering
• May get more sophisticated than a simple port
  filter
• ISP not interested in you being able to easily
  switch providers
• Well see one of two things
• New protocols ports
• Greater dependence on web solutions

13
SMTP Authentication

• The MIT MSA supports Kerberos V5 for user
  authentication
• A username/password may be tunneled within SSL
  and checked with the KDC
• A Kerberos credential may be presented
• GSSAPI
• Only Eudora supports this
• Not supporting certificates at this time
• The recommendation is to make the authentication
  method symmetric between mail download (imap) and
  mail submission

14
SMTP Authentication Messages
Received from mit.edu (vw.mit.edu
18.18.18.18) (authenticated bits0) (User
authenticated as tom_at_ATHENA.MIT.EDU) by
melbourne-city-street.mit.edu (8.12.4/8.12.4)
with ESMTP id h5UFAwaT002423 (versionTLSv1/SSLv3
cipherDES-CBC3-SHA bits168 verifyNOT) for
lttom_at_mit.edugt Mon, 30 Jun 2003 111058 -0400
(EDT)
15
SMTP Auth Configuration Example

• Apple Mail

16
SMTP Auth Configuration Example

• Eudora

17
Other Challenges

• Outgoing supports email addressed from .mit.edu
  rather than mit.edu
• Many alumni are using this to keep their
  _at_alum.mit.edu identity
• Well have to do something here which may bring
  us back to the alum.mit.edu vs. mit.edu issue
• MTAs masquerading as MSAs
• They should stop doing that
• Use of sendmail as an MSA
• Where possible, users should use apps with a
  built-in MSA (as opposed to mh-gtsendmail)
• Where possible, the MTA should be running on the
  client machine (eg. sendmail does direct
  delivery)
• possible certificate based solution for the rest

18
SMTP Authentication Next Steps

• Solidify recommended configurations for known
  applications
• Modify configurations to use a flavor of smtp
  authentication by default
• Make this the recommended solution for existing
  users
• Now we have an answer for ISP problems
• Campaign to have MIT users upgraded by July 1,
  2004

19
Viruses

• We are filtering several known viruses at the
  border
• Looking for identifying signatures
• CPU intensive
• Then came bugbear
• No consistent signature to filter
• Extension filtering (.scr, .pif, .exe) remain
  most effective known measure although we are
  being a bit more precise than this for now

20
Where Do We End Up?

• Content filtering for viruses has proven less
  effective
• The only measure we have left is to prevent the
  delivery of all executable programs
• We can be proactive in getting the word out
• Or, we can wait until a more advanced version of
  bugbear is released when well be forced to
  implement this anyway
• Lets get the word out

21
Conclusions

• Authentication is good
• Viruses are bad

any questions?