Electronic Mail Security: SMTP

About This Presentation

Title:

Electronic Mail Security: SMTP

Description:

Unsolited commercial - bulk e-mail. How e-mail works. SMTP. Simple Mail Transfer Protocol ... How SMTP works. User wishes to send mail ... – PowerPoint PPT presentation

Number of Views:338

Avg rating:3.0/5.0

Slides: 72

Provided by: serda4

Category:

more less

Transcript and Presenter's Notes

Title: Electronic Mail Security: SMTP

1
Electronic Mail SecuritySMTP Sendmail

Cmpe 526 Operating System and Network Security
Presentation
Serdar Sali

2
Overview

Introduction
SMTP
SMTP Security Issues
Solutions to SMTP Security Issues
Sendmail
Sendmail security mechanisms

3
Introduction

E-mail a leading communication medium
As usage spreads, security issues arise
Privacy, integrity, authentication
Spamming
Unsolited commercial - bulk e-mail

4
How e-mail works
5
SMTP

Simple Mail Transfer Protocol
Objective
Transfer mail reliably and efficiently
Independent of a particular transmission system
Only a reliable ordered data channel required

6
SMTP

Can relay mail across transport service
environments
SMTP transports a mail object
Envelope and content
A text based protocol

7
How SMTP works

User wishes to send mail
Client SMTP establishes two way transmission
channel to Server SMTP
Receiver may be ultimate or intermediate
Client SMTP generates and sends SMTP messages
Replies are sent from Server SMTP

8
How SMTP works
User
Client SMTP
Server SMTP
SMTP Commands/Replies
File System
File System
And mail
9
The SMTP Model

A typical communication
User establishes a connection
Identifies using HELO or EHLO
Sends mail using MAIL from ltaddressgt
Specifies recipients using RCPT to ltaddressgt
Specify mail content using DATA
Close connection using QUIT or send another mail

10
The SMTP Model

S MAIL FROM ltSmith_at_Alpha.ARPAgt
R 250 OK
S RCPT TO ltJones_at_Beta.ARPAgt
R 250 OK
S RCPT TO ltGreen_at_Beta.ARPAgt
R 550 No such user here
S RCPT TO ltBrown_at_Beta.ARPAgt
R 250 OK
S DATA
R 354 Start mail input end with ltCRLFgt.ltCRLFgt
S Blah blah blah...
S ...etc. etc. etc.
S ltCRLFgt.ltCRLFgt
R 250 OK

11
The SMTP Model

SMTP can be used for
Mailing sending message to mailbox
Sending sending message to users terminal if
the user is online
Usually, SMTP is used for sending, POP or IMAP is
used for retrieval

12
SMTP Mail Relay

The destination of the SMTP server may be final
or intermediate
The client resolves the server address to
an intermediate Mail eXchanger host or
a final target host.
A server may be
Ultimate destination
Intermediate destination
A gateway

13
SMTP Mail Relay

Mail from ltreverse-pathgt
Rcpt to ltforward-pathgt
Two ways to relay messages
Explicit source routing
DNS Mail eXchanger (MX) records

14
SMTP Mail Relay

Explicit Routing
Forward path
lt_at_a.com,_at_b.com,receiver_at_c.comgt
Reverse path
ltsender_at_d.comgt
SMTP servers connected in order
Each server removes its address and adds it to
reverse path
Error or notification messages
Designed when internet was a small community

15
SMTP Mail Relay

DNS MX records
For a domain, search for a record in the DNS
Forward the mail request to that host
Currently used method for mail relay
Explicit source routing still supported for
backward compatibility
This causes SPAM

domain
Preference value
host
16
SMTP Security Issues

No authentication
Spamming
Unauthorized use of relaying, DoS
All communication done in plaintext
Eavesdropping
Man in the middle attacks
VRFY, EXPN commands

17
SMTP Security Issues

SMTP-AUTH
An extension that adds access control to SMTP
A client may
indicate an authentication mechanism to the
server
perform an authentication protocol exchange
optionally negotiate a security layer for
subsequent protocol interactions

18
SMTP-AUTH

SMTP-AUTH
Only legitimate users can relay mail
Does not guarantee authenticity of envelope
header or message header
Spoofing is still possible
The receiver can not tell if the sender was
authenticated

19
SMTP-AUTH

Based on Simple Authentication and Security Layer
(SASL-RFC-2222)
SASL uses plugins to define authentication
mechanisms
Plaintext password PLAIN
Shared secretCRAM-MD5, DIGEST-MD5
Kerberos KERBEROS_V4, GSSAPI

20
SMTP-AUTH

Adds AUTH verb to SMTP
Can take parameters to save round-trip
Any knowledge prior to authentication must be
discarded

21
SMTP-AUTH

S 220 smtp.example.com ESMTP server ready
C EHLO jgm.example.com
S 250-smtp.example.com
S 250 AUTH CRAM-MD5 DIGEST-MD5
C AUTH FOOBAR
S 504 Unrecognized authentication type.
C AUTH CRAM-MD5
S 334 PENCeUxFREJoU0NnbmhNWitOMjNGNndAZWx3b29kLml
ubm9zb2Z0LmNvbT4
C ZnJlZCA5ZTk1YWVlMDljNDBhZjJiODRhMGMyYjNiYmFlNzg
2ZQ
S 235 Authentication successful.

22
SMTP-AUTH

AUTH verb can also be applied to mail from verb
Allows trusted entities to communicate
authentication of individual messages
AUTHltgt not authenticated
C MAIL FROMltemc2_at_example.comgt
AUTHe3Dmc2_at_example.com
S 250 OK

23
SMTP-AUTH

Spoofing is still a problem
Subject to man-in-the-middle attack
Does not provide user authentication, only
delivery authentication
Subject to brute force attacks when username
password schemes are used

24
Secure SMTP over TLS

Private, authenticated communication between
client and server
Defines a new verb, STARTTLS
Takes no parameters
Used to tell client that the server is TLS
capable
Used to start a TLS handshake by client

25
Secure SMTP over TLS

Sample communication
S ltwaits for connection on TCP port 25gt
C ltopens connectiongt
S 220 mail.imc.org SMTP service ready
C EHLO mail.ietf.org
S 250-mail.imc.org offers a warm hug of welcome
S 250 STARTTLS
C STARTTLS
S 220 Go ahead
C ltstarts TLS negotiationgt
C S ltnegotiate a TLS sessiongt
C S ltcheck result of negotiationgt
C ltcontinues by sending an SMTP commandgt . . .

26
Secure SMTP over TLS

A publicly referenced SMTP server must not
require TLS
May effect relaying capabilities
After the TLS handshake, client and server should
give the decision
Is the achieved authentication and privacy enough?

27
Secure SMTP over TLS

If not
Client should quit immediately,
Server should respond each request with an error
message
Server may place info from certificate in
Received header of the message body

28
Secure SMTP over TLS

If security level is enough
All info before handshake is discarded
Client should send a EHLO again
The server may report different services
Security considerations
Not end-to-end
SMTP is not end-to-end
The entire chain has to be made secure
Does not indicate authentication for the
receiving client

29
Secure SMTP over TLS

Decision on adequateness of security
Must be made locally
Implementation dependent
Susceptible to man-in-the-middle attack
The STARTTLS response from server may be deleted
by an eavesdropper
Client never knows that server is TSL capable

30
Secure SMTP over TLS

Solution to man-in-the-middle attack
Client records if a server offers TLS
Generates a warning if it is not offered in later
sessions
Can not be used to authenticate author
Every chain needs to be authenticated
Other mechanisms are used for this purpose
PGP, MIME, etc.

31
POP-before-SMTP

POP requires authentication
A user uses POP to read mail
IP address of that user is recorded
User is granted access to SMTP server for a
certain time period
Dependent on user reading mail
Not everyone uses POP
May introduce risks with
dynamic IPs
NAT schemes

32
Sender Policy Framework

An extension to SMTP
Also called SMTP SPF
Quick and easy to implement
Designed to prevent forged e-mail
Checks if the sender is authorized to send mail
from the domain they claim to be from
Two sides
Checking incoming mail
Other people checking mail you send

33
Sender Policy Framework

To check incoming mail
Use an SPF enabled message transfer agent
To allow others check the mail you send
Publish SPF records in DNS
This domain sends mail only through these
servers

34
Sender Policy Framework

Types of DNS records used in SPF
A maps name to IP address
mail.example.com. IN A 192.0.2.3
MX indicates servers responsible for handling
mail in the domain
example.com. IN MX 10 mail.example.com.
example.com. IN MX 100 mailhandler.com
PTR maps IP to name
6.1.36.36.in-addr.arpa. IN PTR example.com
TXT arbitrary text strings up to 255 characters
long

35
Sender Policy Framework

Domains
Identify which machines are allowed to send
e-mail from that domain
Add this info as a TXT record to their DNS info
Receivers
Must request and use SPF records

36
Sender Policy Framework

An example SPF record
vspf1 a mx a127.0.0.1
amy.resolved.ip.com ptr all
General format
vspf1 pre type ... mod
Pre specifies the result from a particular test
Pass (Default)
- Fail
Softfail
? Neutral

37
Sender Policy Framework

Type
includedomain
replace sender domain with given domain
Use SPF record for that domain
all
Represents all other conditions
a, adomain, adomain/cidr, a/cidr
Requires an A record in DNS for sender domain
mx, mxdomain,mxdomain/cidr, mx/cidr
Requires an MX record in DNS for sender domain

38
Sender Policy Framework

Type
ptr, ptrdomain
Requires a PTR record in DNS for sender IP
ip4ipv4, ip4ipv4/cidr
Used for defining valid IPv4s or IPv4 ranges
ip6ipv6, ip6ipv6/cidr
Used for defining valid IPv4s or IPv4 ranges
existsdomain
Requires existence of the domain

39
Sender Policy Framework

Mod
redirectdomain
Redirects to SPF of indicated domain
Functionally equivalent to include
Can also be used after all to use redirect if all
tests fail
expTXT-RR
Should come last in an SPF record
Defines a DNS name whose TXT records may be
returned as error messages

40
Sender Policy Framework

Examples
Only allow mail.example.com to send for
example.com
A receving MTA may also make an IP comparison

example.com. IN MX 10 mail.example.com. mail.examp
le.com. IN A 192.168.0.4 example.com. IN TXT
"vspf1 mx all" mail.example.com. IN TXT "vspf1
a -all"
41
Sender Policy Framework

Examples
Uses virtual domain
Defines a valid IP range
192.168.0.0 192.168.0.31

vhost1.com. IN MX 10 mail.example.com vhost1.com.
IN TXT "vspf1 includeexample.com -all"
example.com. IN MX 10 mail.example.com. example.co
m. IN TXT "vspf1
ip4192.168.0.3/27 -all" mail.example.com. IN TXT
"vspf1 ip4192.168.0.3/27
-all"
42
Internal SMTP Issues

Vrfy name
Used to verify if a mailbox with the given name
exists in an SMTP server
Expn maillist-name
Used to expand the members of the given maillist
name
Both sources of e-mail address for spammers
Must be disabled

43
Sendmail

An open source mail transfer agent
Original version written by Eric Allman in 1980s
at UC Berkeley
Descendant of ARPANET delivermail
Very flexible
Supports different transfer and delivery
protocols
Very complicated
Difficult to manage
Configured using sendmail.cf, sendmail.mc
Unfortunately, known for its bugs

44
Sendmail

Security measures
Sendmail restricted shell smrsh
Standard security checks
SMTP AUTH
SMTP STARTTLS
Rejecting SPAM
Access database
Anti-spamming relay features
Validating senders

45
Sendmail

Configuring sendmail
/etc/mail/sendmail.cf
Actual configuration file
/etc/mail/sendmail.mc
More user friendly configuration file
Make sendmail.cf from sendmail.mc
m4 /usr/local/share/sendmail/cf/m4/cf.m4
/etc/mail/sendmail.mc gt /etc/mail/sendmail.cf

46
Sendmail

Turning off exploitable features
Find the line in sendmail.cf that contains
O PrivacyOptions
Add noexpn and novrfy
O PrivacyOptionsnoexpn novrfy
Most strict goaway
Or set the confPRIVACY_FLAGS in sendmail.mc
define(confPRIVACY_FLAGS, goaway, noexpn,
novrfy, nobodyreturn)

47
Sendmail

SMTP server banner
May give away system info
220 192.168.1.1 ESMTP Sendmail 8.10.2Sun/8.10.2
Tue,14 Jan 2003 09 2802-0500 (EST)
Change SmtpGreetingMessage field in sendmail.cf

48
Sendmail

Precautions against DoS attacks, in sendmail.mc
Set confMAX_MESSAGE_SIZE to limit message size
Set confMAX_DAEMON_CHILDREN to limit number of
processes
Does not prevent DoS attacks

49
Sendmail

Controlled SMTP relaying in sendmail
FEATURE(access_db)
List the domains you are willing to relay from in
/etc/mail/relay-domains
FEATURE(relay_hosts_only)
Hosts must also be listed
FEATURE(relay_entire_domain)
Relay all computers in domain
FEATURE(access_db)
Enables or disables access database
FEATURE(blacklist_recipients)
Also look up recipients in access database

50
Sendmail

Controlled SMTP relaying in sendmail
List the domains you are willing to relay from in
/etc/mail/relay-domains
FEATURE(dnsbl)
Use realtime black hole list at mail-abuse.org
1.5.5.192.blackholes.mail-abuse.org
IN A 127.0.0.2
FEATURE(accept_unqualified_senders)
Allow users without domains
FEATURE(accept_unresolvable_domains)
Allow users with unresolvable domains
FEATURE(relay_based_on_MX)
Permit any relay directed to your host

51
Sendmail

Following features make vulnerable to abuse
FEATURE(relay_local_from).
Allows relaying if the message claims to
originate at your domain.
FEATURE(loose_relay_check).
turns off checking for explicit routing
FEATURE(promiscuous_relay).
turn off all checking for relaying.

52
Sendmail

Access database
In /etc/mail/access
Allow access by individual domains
Two-tuples key action
Key
Fully or partly qualified host name
Network or subnetwork address
Specific e-mail addresses
Can also include FROM, TO, etc.

53
Sendmail

Actions
REJECT
refuse connections from host
DISCARD
accept the message but silently discard it,
sender will think message is accepted
OK
Allow access, overrides other checks
RELAY
Allow access including relaying
ERROR arbitrary message
Reject mail with customized message

54
Sendmail

Example
cyberpromo.com REJECT
sendmail.org RELAY
spam_at_buyme.com ERROR550 Spammers do not live
here anymore
Froma_at_b.com REJECT
Toc_at_d.com REJECT
193.140 RELAY
Generate database from map
makemap hash
/etc/mail/access lt /etc/mail/access

55
Sendmail

smrsh (Sendmail restricted shell)
aliases database
alias mailing list
forwarding mail
.forward file in home directory
In addition to mail addresses, commands may also
be used
A malicious user can execute commands using the
sent mail

56
Sendmail

smsrh
Form an explicit list of executables that
sendmail is allowed to execute
sendmail.mc FEATURE(smsrh)
Directory for allowed executables
/usr/libexec/sm.bin
Any reference to executables appended with this
directory
Should be carefully populated
Advised to be used in all sendmail versions

57
Sendmail

Enhanced File Security
Tight rules for opening files
In general, all read directories should be owned
by root
No .forward in unsafe (group or world writable)
directories

58
Sendmail

Enhanced File Security
If too restrictive, set the DontBlameSendmail
option in sendmail.mc
define
(confDONT_BLAME_SENDMAIL,...)
ForwardFileInUnsafeDirPath
Allow .forward files in unsafe directories.
ForwardFileInUnsafeDirPathSafe
Allow a .forward file that is in an unsafe
directory to include references to program and
files.

59
Sendmail

SMTP-Auth in sendmail
Install an SASL library
i.e. Cyrus SASL
Compile sendmail with right options
APPENDDEF(confENVDEF', -DSASL')
APPENDDEF(conf_sendmail_LIBS', -lsasl')
for Cyrus SASLv1
APPENDDEF(confENVDEF', -DSASL2')
APPENDDEF(conf_sendmail_LIBS', -lsasl2')
for Cyrus SASLv2
to site.config.m4

60
Sendmail

Set options in sendmail.mc
TRUST_AUTH_MECH(GSSAPI DIGEST-MD5')dnl
define(confAUTH_MECHANISMS', GSSAPI
DIGEST-MD5')dnl
define(confDEF_AUTH_INFO', /etc/mail/auth/auth-i
nfo')dnl
DAEMON_OPTIONS(a')dnl
Requiring SMTP AUTH
Delete all other means of relaying

61
Sendmail

To use as client,generate an info file
client-info AuthInfoyour.isp.net "Uroot"
"Ppassword
Generate authentication database
makemap hash client-info lt client-info
Edit configuration file
define(SMART_HOST',your.isp.net')
define(confAUTH_MECHANISMS', DIGEST-MD5
CRAM-MD5 LOGIN PLAIN')
FEATURE(authinfo',hash /etc/mail/auth/client-inf
o')

62
Sendmail

SMTP STARTTLS in sendmail
Allow relaying based on certificates
Restrict incoming or outgoing connections
Define following variables
define(confCACERT_PATH', /etc/mail/certs/')
define(confCACERT', /etc/mail/certs/CA.cert.pem'
)
define(confSERVER_CERT', /etc/mail/certs/my.cert
.pem')
define(confSERVER_KEY', /etc/mail/certs/my.key.p
em')

63
Sendmail

verify macro that keeps result of
verification
OK verification succeeded.
NO no cert presented.
NOT no cert requested.
FAIL cert presented but could not be verified,
e.g., the cert of the signing CA is
missing.
NONE STARTTLS has not been performed.
TEMP temporary error occurred.
PROTOCOL protocol error occurred (SMTP level).
SOFTWARE STARTTLS handshake failed.

64
Sendmail

Relaying based on certificates
If sender not verified, usual relaying
If verified, look up the domain of certificate
issuer, and check access database for that domain
If result is RELAY, relay
If result is SUBJECT, look up the subject

65
Sendmail

Example
To allow relaying only for a subset of machines
that have a cert signed by
/CUS/STCalifornia/Oendmail.org/OUprivate/CN
Darth20Mail2028Cert29/Emaildarth2Bcert_at_endma
il.org
use
CertIssuer/CUS/STCalifornia/Oendmail.org/OUpr
ivate/CNDarth20Mail2028Cert29/Emaildarth2Bc
ert_at_endmail.org
SUBJECT
CertSubject/CUS/STCalifornia/Oendmail.org/OUp
rivate/CN DeathStar/Emaildeathstar_at_endmail.org
RELAY
Received header
(versiontls_version ciphercipher
bitscipher_bits verifyverify)