A System for Secure Email Relaying - PowerPoint PPT Presentation

1 / 25
About This Presentation
Title:

A System for Secure Email Relaying

Description:

Sending email from one domain to another via a third. Spammers do ... Email settings identical for home ... IMap. server. DMZ. Possible Solutions. SSL ... – PowerPoint PPT presentation

Number of Views:72
Avg rating:3.0/5.0
Slides: 26
Provided by: kelv85
Category:

less

Transcript and Presenter's Notes

Title: A System for Secure Email Relaying


1
A System for Secure Email Relaying
  • Masters Project
  • By Kelvin Edwards
  • Advisor Dr. Wahab

2
A System for Secure Email Relaying
  • Email Relaying
  • Possible Solutions
  • Chosen Solution
  • Certificate configuration
  • Email configuration
  • Web server configuration
  • Putting it all together
  • Demonstration

3
Email Relaying
  • What is email relaying?
  • Sending email from one domain to another via a
    third
  • Spammers do this all the time!
  • Why is it useful?
  • Stable email configuration for users
  • Email settings identical for home institution and
    away
  • No need to determine visiting labs smtp server

4
Email Relaying
Smtp server
Jefferson Lab External
IMap server
Jefferson Lab -- Internal
Off-Site Location
DMZ
5
Possible Solutions
  • SSL-enabled email
  • Pros
  • Minimal changes to the client application
  • Cons
  • Must set up email server for encrypted
    connections
  • Exposes usernames/passwords to the outside email
    server.

6
Possible Solutions
  • SSH tunnels
  • Pros
  • Once setup, its transparent to the user
  • Cons
  • Difficult to setup
  • Must maintain ssh connection at all times (or
    reestablish before sending email)

7
Possible Solutions
  • Webmail
  • Pros
  • Its just a web page, minimal setup required
  • Works anywhere, from anyplace
  • Cons
  • Doesnt handle attachments well
  • No junk mail (or other) filters

8
My Solution
  • Certificates
  • Pros
  • Transparent to the user once it is set up
  • Can also be used to encrypt or sign the message
  • Cons
  • Difficult to setup for the user
  • However, with a little setup by the site, you can
    make this easier for the user

9
Certificate Configuration
  • Root Certificate Authority (CA)
  • Signs all other certificates
  • Server Certificate
  • Signed by root CA
  • Client Certificates
  • Signed by root CA
  • Loaded into email client

10
Certificate Configuration
  • OpenSSL x.509 certificates
  • Good for one year (could be longer)
  • Default DN items
  • Country US
  • State Virginia
  • Organization Jefferson Lab
  • Location Newport News
  • 1024 bit key

11
Web Server Configuration
  • Local server certificate signed by root CA
  • User authentication
  • Htpasswd or NIS
  • Document tree

12
Email Server Configuration
  • Sendmail
  • Version 8.12.11
  • Compiled with TLS support
  • Runs on Port 8025

13
Email Server Configuration
  • Sendmail TLS (SSL)
  • Uses openSSL 0.9.7 libraries
  • /sednmail/devtools/Site/site.config.m4
  • /sendmail/cf/cf/sendmail.mc
  • Server certificate
  • /etc/mail/certs
  • Signed by root CA

14
Email Server Configuration
  • /etc/mail/access and access.db
  • Allows relay for known client certificates

localhost.localdomain RELAY localhost
RELAY 127.0.0.1 RELAY jlab.org
RELAY TLS_CLT
VERIFY CERTISSUER/CNKelvin20Edwards/STVirginia
/CUS/ emailAddresskelvin_at_jlab.org/OJefferson2
0Lab/ OUComputer20Center SUBJECT CERTSUBJECT
/CNGraham20Heyes/STVirginia/CUS/ emailAddres
sheyes_at_jlab.org/OJefferson20Lab/ OUComputer2
0Center RELAY CERTSUBJECT/CNKelvin20Edward
s/STVirginia/CUS/ emailAddresskelvin_at_jlab.org/
OJefferson20Lab/ OUCC RELAY
15
Email Server Configuration
  • /etc/mail/access and access.db
  • Update script
  • Runs as root
  • Makemap hash access.db lt access
  • Currently set to run each minute

16
Email Server Configuration (cont)
  • Certificate Revocation Lists
  • In general, a difficult problem
  • Remove entry in access (do a makemap)
  • Remove certificate from certificate list
  • Located in /var/www/CA/index.txt

17
Putting it all together
  • http//rh-install.jlab.org
  • Load root CA into browser
  • Displays form for generating a certificate
    request
  • Redirects to https connection
  • User authenticates to web server

18
Putting it all together (cont)
  • Generate certificate request
  • Genreq.pl
  • Requires
  • Full name
  • Email address
  • Department
  • Private key password

19
Putting it all together (cont)
  • treatReq.pl
  • Validates user responses
  • Actually generates the CR
  • Signs the CR using root CA
  • Generates a PKCS 12 certificate from the signed
    certificate
  • Displays web page with load instructions

20
Web Page
  • Different for Mozilla and Internet Explorer
  • Internet Explorer
  • Loads certificate by clicking on link
  • Mozilla
  • Save certificate to disk
  • Load certificate through Mozillas Security
    Manager
  • Need to remember private key password

21
Demonstration
  • http//rh-install.jlab.org

22
  • Questions?

23
Details
  • Ssl configuration stored in /var/www/CA
  • Keeps the users private key password as an
    environment variable during creation
  • The CAs password is stored in /var/www/CA and is
    read-only by http-user. This value is used to
    sign certificates.
  • The certificates are generated and stored in
    /tmp/session-id, where session-id is based on
    the client systemmon/day/yr/hr/min/sec
  • session-id is deleted once certificate generated
    as PKCS 12

24
Details
  • /etc/mail/access has a list of each clients CERT
    Subject, which includes the DN, etc.
  • Certificate presented MUST be signed by the root
    CA or it is rejected.
  • User MUST load the root CA into the browser prior
    to generating the certificate
  • PROBLEM Some sites are not allowing connections
    to port 25 from random systems on-site. This
    will invalidate this method and most other
    methods (tunnels will still work)

25
Details
Write a Comment
User Comments (0)
About PowerShow.com