Title: Guidelines on Electronic Mail Security
1Guidelines on Electronic Mail Security
http//csrc.nist.gov/publications/nistpubs/800-45/
sp800-45.pdf
2Background
- The process starts with
- Message composition
- Transmitted
- Mail server processing
3Multipurpose Internet Mail Extensions (MIME)
- RFC 822 transmitting messages containing textual
content - does not address messages that contain
attachments - MIME were developed
- Audio
- Application
- Image
- Message
- Multipart
4Mail Transport Standards
- To ensure reliability and interoperability among
various email applications - Simple Mail Transfer Protocol (SMTP)
5Simple Mail Transfer Protocol Extensions
6Post Office Protocol
- developed in 1984
- a way to copy messages from the mail server
mailbox to the mail client - RFC 918, nine commands were originally available
for POP
7Internet Message Access Protocol
8Email-Related Encryption Standards
- PGP and S/MIME
- Based on public key cryptography
- symmetric key
9Pretty Good Privacy
10S/MIME
- proposed in 1995 by RSA Data Security, Inc.
- S/MIME version 3
11Choosing an Appropriate Encryption Algorithm
- Required security
- Required performance
- System resources
- Import, export, or usage restrictions
- Encryption schemes
12Key Management
- difference between PGP and S/MIME
- PGP circle of trust
- S/MIME some newer PGP CA
13Hardening the Mail Server Application
- Securely Installing the Mail Server
- Securely Configuring Operating System and Mail
Server Access Controls - configure access controls
- Typical files to which access should be
controlled are - use the mail server operating system to limit
files accessed by the mail service processes. - directories and files (outside the specified
directory tree) cannot be accessed, even if users
know the locations of those files. - using a chroot jail for the mail server
application - To mitigate the effects of certain types of DoS
attacks
14Protecting Email from Malicious Code
- Virus Scanning
- at the firewall (application proxy) or mail relay
- The benefits
- weaknesses
15Protecting Email from Malicious Code
- Virus Scanning
- on the mail server itself
- The benefits
- weaknesses
- Mail servers support the integration of virus
scanning at the mail server
16Protecting Email from Malicious Code
- Virus Scanning
- on client hosts
- The benefits
- weaknesses
- Mail servers support the integration of virus
scanning at the mail server
17Unsolicited Bulk Email
- unsolicited commercial email (UCE) or spam
- To control UCE messages
- open relay blacklists (ORBs)
18Miscs
- Authenticated Mail Relay
- benefits
- Two methods
- Secure Access
- Most protocols did not initially incorporate any
form of encryption or cryptographic
authentication - Transport Layer Security protocol
- RFC 2595
- Enabling Web Access
19Using Mail Gateways
20Network Element Configuration
- Router/Firewall Configuration
- Routers, stateful firewalls, proxy firewalls
- Which ports
- Router network layer (packet filter) firewall