Guidelines on Electronic Mail Security

1
Guidelines on Electronic Mail Security
http//csrc.nist.gov/publications/nistpubs/800-45/
sp800-45.pdf
2
Background

• The process starts with
• Message composition
• Transmitted
• Mail server processing

3
Multipurpose Internet Mail Extensions (MIME)

• RFC 822 transmitting messages containing textual
  content
• does not address messages that contain
  attachments
• MIME were developed
• Audio
• Application
• Image
• Message
• Multipart

4
Mail Transport Standards

• To ensure reliability and interoperability among
  various email applications
• Simple Mail Transfer Protocol (SMTP)

5
Simple Mail Transfer Protocol Extensions
6
Post Office Protocol

• developed in 1984
• a way to copy messages from the mail server
  mailbox to the mail client
• RFC 918, nine commands were originally available
  for POP

7
Internet Message Access Protocol
8
Email-Related Encryption Standards

• PGP and S/MIME
• Based on public key cryptography
• symmetric key

9
Pretty Good Privacy
10
S/MIME

• proposed in 1995 by RSA Data Security, Inc.
• S/MIME version 3

11
Choosing an Appropriate Encryption Algorithm

• Required security
• Required performance
• System resources
• Import, export, or usage restrictions
• Encryption schemes

12
Key Management

• difference between PGP and S/MIME
• PGP circle of trust
• S/MIME some newer PGP CA

13
Hardening the Mail Server Application

• Securely Installing the Mail Server
• Securely Configuring Operating System and Mail
  Server Access Controls
• configure access controls
• Typical files to which access should be
  controlled are
• use the mail server operating system to limit
  files accessed by the mail service processes.
• directories and files (outside the specified
  directory tree) cannot be accessed, even if users
  know the locations of those files.
• using a chroot jail for the mail server
  application
• To mitigate the effects of certain types of DoS
  attacks

14
Protecting Email from Malicious Code

• Virus Scanning
• at the firewall (application proxy) or mail relay
• The benefits
• weaknesses

15
Protecting Email from Malicious Code

• Virus Scanning
• on the mail server itself
• The benefits
• weaknesses
• Mail servers support the integration of virus
  scanning at the mail server

16
Protecting Email from Malicious Code

• Virus Scanning
• on client hosts
• The benefits
• weaknesses
• Mail servers support the integration of virus
  scanning at the mail server

17
Unsolicited Bulk Email

• unsolicited commercial email (UCE) or spam
• To control UCE messages
• open relay blacklists (ORBs)

18
Miscs

• Authenticated Mail Relay
• benefits
• Two methods
• Secure Access
• Most protocols did not initially incorporate any
  form of encryption or cryptographic
  authentication
• Transport Layer Security protocol
• RFC 2595
• Enabling Web Access

19
Using Mail Gateways
20
Network Element Configuration

• Router/Firewall Configuration
• Routers, stateful firewalls, proxy firewalls
• Which ports
• Router network layer (packet filter) firewall