Electronic Mail Security: SMTP - PowerPoint PPT Presentation

1 / 71
About This Presentation
Title:

Electronic Mail Security: SMTP

Description:

Unsolited commercial - bulk e-mail. How e-mail works. SMTP. Simple Mail Transfer Protocol ... How SMTP works. User wishes to send mail ... – PowerPoint PPT presentation

Number of Views:339
Avg rating:3.0/5.0
Slides: 72
Provided by: serda4
Category:

less

Transcript and Presenter's Notes

Title: Electronic Mail Security: SMTP


1
Electronic Mail SecuritySMTP Sendmail
  • Cmpe 526 Operating System and Network Security
    Presentation
  • Serdar Sali

2
Overview
  • Introduction
  • SMTP
  • SMTP Security Issues
  • Solutions to SMTP Security Issues
  • Sendmail
  • Sendmail security mechanisms

3
Introduction
  • E-mail a leading communication medium
  • As usage spreads, security issues arise
  • Privacy, integrity, authentication
  • Spamming
  • Unsolited commercial - bulk e-mail

4
How e-mail works
5
SMTP
  • Simple Mail Transfer Protocol
  • Objective
  • Transfer mail reliably and efficiently
  • Independent of a particular transmission system
  • Only a reliable ordered data channel required

6
SMTP
  • Can relay mail across transport service
    environments
  • SMTP transports a mail object
  • Envelope and content
  • A text based protocol

7
How SMTP works
  • User wishes to send mail
  • Client SMTP establishes two way transmission
    channel to Server SMTP
  • Receiver may be ultimate or intermediate
  • Client SMTP generates and sends SMTP messages
  • Replies are sent from Server SMTP

8
How SMTP works
User
Client SMTP
Server SMTP
SMTP Commands/Replies
File System
File System
And mail
9
The SMTP Model
  • A typical communication
  • User establishes a connection
  • Identifies using HELO or EHLO
  • Sends mail using MAIL from ltaddressgt
  • Specifies recipients using RCPT to ltaddressgt
  • Specify mail content using DATA
  • Close connection using QUIT or send another mail

10
The SMTP Model
  • S MAIL FROM ltSmith_at_Alpha.ARPAgt
  • R 250 OK
  • S RCPT TO ltJones_at_Beta.ARPAgt
  • R 250 OK
  • S RCPT TO ltGreen_at_Beta.ARPAgt
  • R 550 No such user here
  • S RCPT TO ltBrown_at_Beta.ARPAgt
  • R 250 OK
  • S DATA
  • R 354 Start mail input end with ltCRLFgt.ltCRLFgt
  • S Blah blah blah...
  • S ...etc. etc. etc.
  • S ltCRLFgt.ltCRLFgt
  • R 250 OK

11
The SMTP Model
  • SMTP can be used for
  • Mailing sending message to mailbox
  • Sending sending message to users terminal if
    the user is online
  • Usually, SMTP is used for sending, POP or IMAP is
    used for retrieval

12
SMTP Mail Relay
  • The destination of the SMTP server may be final
    or intermediate
  • The client resolves the server address to
  • an intermediate Mail eXchanger host or
  • a final target host.
  • A server may be
  • Ultimate destination
  • Intermediate destination
  • A gateway

13
SMTP Mail Relay
  • Mail from ltreverse-pathgt
  • Rcpt to ltforward-pathgt
  • Two ways to relay messages
  • Explicit source routing
  • DNS Mail eXchanger (MX) records

14
SMTP Mail Relay
  • Explicit Routing
  • Forward path
  • lt_at_a.com,_at_b.com,receiver_at_c.comgt
  • Reverse path
  • ltsender_at_d.comgt
  • SMTP servers connected in order
  • Each server removes its address and adds it to
    reverse path
  • Error or notification messages
  • Designed when internet was a small community

15
SMTP Mail Relay
  • DNS MX records
  • For a domain, search for a record in the DNS
  • Forward the mail request to that host
  • Currently used method for mail relay
  • Explicit source routing still supported for
    backward compatibility
  • This causes SPAM

domain
Preference value
host
16
SMTP Security Issues
  • No authentication
  • Spamming
  • Unauthorized use of relaying, DoS
  • All communication done in plaintext
  • Eavesdropping
  • Man in the middle attacks
  • VRFY, EXPN commands

17
SMTP Security Issues
  • SMTP-AUTH
  • An extension that adds access control to SMTP
  • A client may
  • indicate an authentication mechanism to the
    server
  • perform an authentication protocol exchange
  • optionally negotiate a security layer for
    subsequent protocol interactions

18
SMTP-AUTH
  • SMTP-AUTH
  • Only legitimate users can relay mail
  • Does not guarantee authenticity of envelope
    header or message header
  • Spoofing is still possible
  • The receiver can not tell if the sender was
    authenticated

19
SMTP-AUTH
  • Based on Simple Authentication and Security Layer
    (SASL-RFC-2222)
  • SASL uses plugins to define authentication
    mechanisms
  • Plaintext password PLAIN
  • Shared secretCRAM-MD5, DIGEST-MD5
  • Kerberos KERBEROS_V4, GSSAPI

20
SMTP-AUTH
  • Adds AUTH verb to SMTP
  • Can take parameters to save round-trip
  • Any knowledge prior to authentication must be
    discarded

21
SMTP-AUTH
  • S 220 smtp.example.com ESMTP server ready
  • C EHLO jgm.example.com
  • S 250-smtp.example.com
  • S 250 AUTH CRAM-MD5 DIGEST-MD5
  • C AUTH FOOBAR
  • S 504 Unrecognized authentication type.
  • C AUTH CRAM-MD5
  • S 334 PENCeUxFREJoU0NnbmhNWitOMjNGNndAZWx3b29kLml
    ubm9zb2Z0LmNvbT4
  • C ZnJlZCA5ZTk1YWVlMDljNDBhZjJiODRhMGMyYjNiYmFlNzg
    2ZQ
  • S 235 Authentication successful.

22
SMTP-AUTH
  • AUTH verb can also be applied to mail from verb
  • Allows trusted entities to communicate
    authentication of individual messages
  • AUTHltgt not authenticated
  • C MAIL FROMltemc2_at_example.comgt
    AUTHe3Dmc2_at_example.com
  • S 250 OK

23
SMTP-AUTH
  • Spoofing is still a problem
  • Subject to man-in-the-middle attack
  • Does not provide user authentication, only
    delivery authentication
  • Subject to brute force attacks when username
    password schemes are used

24
Secure SMTP over TLS
  • Private, authenticated communication between
    client and server
  • Defines a new verb, STARTTLS
  • Takes no parameters
  • Used to tell client that the server is TLS
    capable
  • Used to start a TLS handshake by client

25
Secure SMTP over TLS
  • Sample communication
  • S ltwaits for connection on TCP port 25gt
  • C ltopens connectiongt
  • S 220 mail.imc.org SMTP service ready
  • C EHLO mail.ietf.org
  • S 250-mail.imc.org offers a warm hug of welcome
  • S 250 STARTTLS
  • C STARTTLS
  • S 220 Go ahead
  • C ltstarts TLS negotiationgt
  • C S ltnegotiate a TLS sessiongt
  • C S ltcheck result of negotiationgt
  • C ltcontinues by sending an SMTP commandgt . . .

26
Secure SMTP over TLS
  • A publicly referenced SMTP server must not
    require TLS
  • May effect relaying capabilities
  • After the TLS handshake, client and server should
    give the decision
  • Is the achieved authentication and privacy enough?

27
Secure SMTP over TLS
  • If not
  • Client should quit immediately,
  • Server should respond each request with an error
    message
  • Server may place info from certificate in
    Received header of the message body

28
Secure SMTP over TLS
  • If security level is enough
  • All info before handshake is discarded
  • Client should send a EHLO again
  • The server may report different services
  • Security considerations
  • Not end-to-end
  • SMTP is not end-to-end
  • The entire chain has to be made secure
  • Does not indicate authentication for the
    receiving client

29
Secure SMTP over TLS
  • Decision on adequateness of security
  • Must be made locally
  • Implementation dependent
  • Susceptible to man-in-the-middle attack
  • The STARTTLS response from server may be deleted
    by an eavesdropper
  • Client never knows that server is TSL capable

30
Secure SMTP over TLS
  • Solution to man-in-the-middle attack
  • Client records if a server offers TLS
  • Generates a warning if it is not offered in later
    sessions
  • Can not be used to authenticate author
  • Every chain needs to be authenticated
  • Other mechanisms are used for this purpose
  • PGP, MIME, etc.

31
POP-before-SMTP
  • POP requires authentication
  • A user uses POP to read mail
  • IP address of that user is recorded
  • User is granted access to SMTP server for a
    certain time period
  • Dependent on user reading mail
  • Not everyone uses POP
  • May introduce risks with
  • dynamic IPs
  • NAT schemes

32
Sender Policy Framework
  • An extension to SMTP
  • Also called SMTP SPF
  • Quick and easy to implement
  • Designed to prevent forged e-mail
  • Checks if the sender is authorized to send mail
    from the domain they claim to be from
  • Two sides
  • Checking incoming mail
  • Other people checking mail you send

33
Sender Policy Framework
  • To check incoming mail
  • Use an SPF enabled message transfer agent
  • To allow others check the mail you send
  • Publish SPF records in DNS
  • This domain sends mail only through these
    servers

34
Sender Policy Framework
  • Types of DNS records used in SPF
  • A maps name to IP address
  • mail.example.com. IN A 192.0.2.3
  • MX indicates servers responsible for handling
    mail in the domain
  • example.com. IN MX 10 mail.example.com.
    example.com. IN MX 100 mailhandler.com
  • PTR maps IP to name
  • 6.1.36.36.in-addr.arpa. IN PTR example.com
  • TXT arbitrary text strings up to 255 characters
    long

35
Sender Policy Framework
  • Domains
  • Identify which machines are allowed to send
    e-mail from that domain
  • Add this info as a TXT record to their DNS info
  • Receivers
  • Must request and use SPF records

36
Sender Policy Framework
  • An example SPF record
  • vspf1 a mx a127.0.0.1
  • amy.resolved.ip.com ptr all
  • General format
  • vspf1 pre type ... mod
  • Pre specifies the result from a particular test
  • Pass (Default)
  • - Fail
  • Softfail
  • ? Neutral

37
Sender Policy Framework
  • Type
  • includedomain
  • replace sender domain with given domain
  • Use SPF record for that domain
  • all
  • Represents all other conditions
  • a, adomain, adomain/cidr, a/cidr
  • Requires an A record in DNS for sender domain
  • mx, mxdomain,mxdomain/cidr, mx/cidr
  • Requires an MX record in DNS for sender domain

38
Sender Policy Framework
  • Type
  • ptr, ptrdomain
  • Requires a PTR record in DNS for sender IP
  • ip4ipv4, ip4ipv4/cidr
  • Used for defining valid IPv4s or IPv4 ranges
  • ip6ipv6, ip6ipv6/cidr
  • Used for defining valid IPv4s or IPv4 ranges
  • existsdomain
  • Requires existence of the domain

39
Sender Policy Framework
  • Mod
  • redirectdomain
  • Redirects to SPF of indicated domain
  • Functionally equivalent to include
  • Can also be used after all to use redirect if all
    tests fail
  • expTXT-RR
  • Should come last in an SPF record
  • Defines a DNS name whose TXT records may be
    returned as error messages

40
Sender Policy Framework
  • Examples
  • Only allow mail.example.com to send for
    example.com
  • A receving MTA may also make an IP comparison

example.com. IN MX 10 mail.example.com. mail.examp
le.com. IN A 192.168.0.4 example.com. IN TXT
"vspf1 mx all" mail.example.com. IN TXT "vspf1
a -all"
41
Sender Policy Framework
  • Examples
  • Uses virtual domain
  • Defines a valid IP range
  • 192.168.0.0 192.168.0.31

vhost1.com. IN MX 10 mail.example.com vhost1.com.
IN TXT "vspf1 includeexample.com -all"
example.com. IN MX 10 mail.example.com. example.co
m. IN TXT "vspf1
ip4192.168.0.3/27 -all" mail.example.com. IN TXT
"vspf1 ip4192.168.0.3/27
-all"
42
Internal SMTP Issues
  • Vrfy name
  • Used to verify if a mailbox with the given name
    exists in an SMTP server
  • Expn maillist-name
  • Used to expand the members of the given maillist
    name
  • Both sources of e-mail address for spammers
  • Must be disabled

43
Sendmail
  • An open source mail transfer agent
  • Original version written by Eric Allman in 1980s
    at UC Berkeley
  • Descendant of ARPANET delivermail
  • Very flexible
  • Supports different transfer and delivery
    protocols
  • Very complicated
  • Difficult to manage
  • Configured using sendmail.cf, sendmail.mc
  • Unfortunately, known for its bugs

44
Sendmail
  • Security measures
  • Sendmail restricted shell smrsh
  • Standard security checks
  • SMTP AUTH
  • SMTP STARTTLS
  • Rejecting SPAM
  • Access database
  • Anti-spamming relay features
  • Validating senders

45
Sendmail
  • Configuring sendmail
  • /etc/mail/sendmail.cf
  • Actual configuration file
  • /etc/mail/sendmail.mc
  • More user friendly configuration file
  • Make sendmail.cf from sendmail.mc
  • m4 /usr/local/share/sendmail/cf/m4/cf.m4
  • /etc/mail/sendmail.mc gt /etc/mail/sendmail.cf

46
Sendmail
  • Turning off exploitable features
  • Find the line in sendmail.cf that contains
  • O PrivacyOptions
  • Add noexpn and novrfy
  • O PrivacyOptionsnoexpn novrfy
  • Most strict goaway
  • Or set the confPRIVACY_FLAGS in sendmail.mc
  • define(confPRIVACY_FLAGS, goaway, noexpn,
    novrfy, nobodyreturn)

47
Sendmail
  • SMTP server banner
  • May give away system info
  • 220 192.168.1.1 ESMTP Sendmail 8.10.2Sun/8.10.2
    Tue,14 Jan 2003 09 2802-0500 (EST)
  • Change SmtpGreetingMessage field in sendmail.cf

48
Sendmail
  • Precautions against DoS attacks, in sendmail.mc
  • Set confMAX_MESSAGE_SIZE to limit message size
  • Set confMAX_DAEMON_CHILDREN to limit number of
    processes
  • Does not prevent DoS attacks

49
Sendmail
  • Controlled SMTP relaying in sendmail
    FEATURE(access_db)
  • List the domains you are willing to relay from in
    /etc/mail/relay-domains
  • FEATURE(relay_hosts_only)
  • Hosts must also be listed
  • FEATURE(relay_entire_domain)
  • Relay all computers in domain
  • FEATURE(access_db)
  • Enables or disables access database
  • FEATURE(blacklist_recipients)
  • Also look up recipients in access database

50
Sendmail
  • Controlled SMTP relaying in sendmail
  • List the domains you are willing to relay from in
    /etc/mail/relay-domains
  • FEATURE(dnsbl)
  • Use realtime black hole list at mail-abuse.org
  • 1.5.5.192.blackholes.mail-abuse.org 
  • IN A 127.0.0.2
  • FEATURE(accept_unqualified_senders)
  • Allow users without domains
  • FEATURE(accept_unresolvable_domains)
  • Allow users with unresolvable domains
  • FEATURE(relay_based_on_MX)
  • Permit any relay directed to your host

51
Sendmail
  • Following features make vulnerable to abuse
  • FEATURE(relay_local_from).
  • Allows relaying if the message claims to
    originate at your domain.
  • FEATURE(loose_relay_check).
  • turns off checking for explicit routing
  • FEATURE(promiscuous_relay).
  • turn off all checking for relaying.

52
Sendmail
  • Access database
  • In /etc/mail/access
  • Allow access by individual domains
  • Two-tuples key action
  • Key
  • Fully or partly qualified host name
  • Network or subnetwork address
  • Specific e-mail addresses
  • Can also include FROM, TO, etc.

53
Sendmail
  • Actions
  • REJECT
  • refuse connections from host
  • DISCARD
  • accept the message but silently discard it,
    sender will think message is accepted
  • OK
  • Allow access, overrides other checks
  • RELAY
  • Allow access including relaying
  • ERROR arbitrary message
  • Reject mail with customized message

54
Sendmail
  • Example
  • cyberpromo.com REJECT
  • sendmail.org RELAY
  • spam_at_buyme.com ERROR550 Spammers do not live
    here anymore
  • Froma_at_b.com REJECT
  • Toc_at_d.com REJECT
  • 193.140 RELAY
  • Generate database from map
  • makemap hash
  • /etc/mail/access lt /etc/mail/access

55
Sendmail
  • smrsh (Sendmail restricted shell)
  • aliases database
  • alias mailing list
  • forwarding mail
  • .forward file in home directory
  • In addition to mail addresses, commands may also
    be used
  • A malicious user can execute commands using the
    sent mail

56
Sendmail
  • smsrh
  • Form an explicit list of executables that
    sendmail is allowed to execute
  • sendmail.mc FEATURE(smsrh)
  • Directory for allowed executables
  • /usr/libexec/sm.bin
  • Any reference to executables appended with this
    directory
  • Should be carefully populated
  • Advised to be used in all sendmail versions

57
Sendmail
  • Enhanced File Security
  • Tight rules for opening files
  • In general, all read directories should be owned
    by root
  • No .forward in unsafe (group or world writable)
    directories

58
Sendmail
  • Enhanced File Security
  • If too restrictive, set the DontBlameSendmail
    option in sendmail.mc
  • define
  • (confDONT_BLAME_SENDMAIL,...)
  • ForwardFileInUnsafeDirPath
  • Allow .forward files in unsafe directories.
  • ForwardFileInUnsafeDirPathSafe
  • Allow a .forward file that is in an unsafe
    directory to include references to program and
    files.

59
Sendmail
  • SMTP-Auth in sendmail
  • Install an SASL library
  • i.e. Cyrus SASL
  • Compile sendmail with right options
  • APPENDDEF(confENVDEF', -DSASL')
    APPENDDEF(conf_sendmail_LIBS', -lsasl')
  • for Cyrus SASLv1
  • APPENDDEF(confENVDEF', -DSASL2')
    APPENDDEF(conf_sendmail_LIBS', -lsasl2')
  • for Cyrus SASLv2
  • to site.config.m4

60
Sendmail
  • Set options in sendmail.mc
  • TRUST_AUTH_MECH(GSSAPI DIGEST-MD5')dnl
  • define(confAUTH_MECHANISMS', GSSAPI
    DIGEST-MD5')dnl
  • define(confDEF_AUTH_INFO', /etc/mail/auth/auth-i
    nfo')dnl
  • DAEMON_OPTIONS(a')dnl
  • Requiring SMTP AUTH
  • Delete all other means of relaying

61
Sendmail
  • To use as client,generate an info file
  • client-info AuthInfoyour.isp.net "Uroot"
    "Ppassword
  • Generate authentication database
  • makemap hash client-info lt client-info
  • Edit configuration file
  • define(SMART_HOST',your.isp.net')
  • define(confAUTH_MECHANISMS', DIGEST-MD5
    CRAM-MD5 LOGIN PLAIN')
  • FEATURE(authinfo',hash /etc/mail/auth/client-inf
    o')

62
Sendmail
  • SMTP STARTTLS in sendmail
  • Allow relaying based on certificates
  • Restrict incoming or outgoing connections
  • Define following variables
  • define(confCACERT_PATH', /etc/mail/certs/')
  • define(confCACERT', /etc/mail/certs/CA.cert.pem'
    )
  • define(confSERVER_CERT', /etc/mail/certs/my.cert
    .pem')
  • define(confSERVER_KEY', /etc/mail/certs/my.key.p
    em')

63
Sendmail
  • verify macro that keeps result of
    verification
  • OK verification succeeded.
  • NO no cert presented.
  • NOT no cert requested.
  • FAIL cert presented but could not be verified,
    e.g., the cert of the signing CA is
    missing.
  • NONE STARTTLS has not been performed.
  • TEMP temporary error occurred.
  • PROTOCOL protocol error occurred (SMTP level).
  • SOFTWARE STARTTLS handshake failed.

64
Sendmail
  • Relaying based on certificates
  • If sender not verified, usual relaying
  • If verified, look up the domain of certificate
    issuer, and check access database for that domain
  • If result is RELAY, relay
  • If result is SUBJECT, look up the subject

65
Sendmail
  • Example
  • To allow relaying only for a subset of machines
    that have a cert signed by
  • /CUS/STCalifornia/Oendmail.org/OUprivate/CN
    Darth20Mail2028Cert29/Emaildarth2Bcert_at_endma
    il.org
  • use
  • CertIssuer/CUS/STCalifornia/Oendmail.org/OUpr
    ivate/CNDarth20Mail2028Cert29/Emaildarth2Bc
    ert_at_endmail.org
    SUBJECT
  • CertSubject/CUS/STCalifornia/Oendmail.org/OUp
    rivate/CN DeathStar/Emaildeathstar_at_endmail.org
    RELAY
  • Received header
  • (versiontls_version ciphercipher
    bitscipher_bits verifyverify)

66
Sendmail
  • Deciding to continue communication
  • Two-tuples in access map
  • Key clients or servers
  • Values
  • VERIFY successful verification required
  • VERIFYbits successful verification required
    cipher bits gt bits
  • ENCRbits cipher bits gt bits
  • TLS_Srv, TLS_Clt keywords

67
Sendmail
  • Example
  • TLS_Srvsecure.example.com ENCR112
  • TLS_Cltlaptop.example.com VERIFY112
  • E-mail sent to secure.example.com should be
    encrypted
  • E-mail sent from laptop.example.com should be
    authenticated

68
Sendmail
  • Known application bugs and exploits
  • CERT advisories, www.cert.org
  • Do not run sendmail as root
  • Current versions do not
  • Sendmail X new generation of sendmail
  • Similar to Postfix architecture

69
Conclusion
  • Spamming is a serious issue
  • Open mail relays
  • Open proxies
  • Worms that make servers vulnerable
  • Methods presented here do not provide end-to-end
    security
  • PGP, S/MIME must be used

70
Questions?
71
Questions?
  • Thank you!
Write a Comment
User Comments (0)
About PowerShow.com