Date post: | 17-Jan-2017 |
Category: |
Presentations & Public Speaking |
Upload: | andrew-j-price |
View: | 17 times |
Download: | 1 times |
MESSAGE SECURITYSpeaker: Jaap Wesselius Company: Self EmployedPosition: Consultant
Who Am I?I am Jaap Wesselius – Independent Consultant in The NetherlandsI am Microsoft Most Valued ProfessionalOffice Servers and Services (previously knows as Exchange MVP)
I tweet from @jaapwessI blog at www.jaapwesselius.comEmail me [email protected] not working I like to ride a motorcycle
WHAT’S THIS SESSION ABOUT?
It’s all about anti-spam (and thus security) How do I make sure email is legitimate? What’s my email reputation on the Internet? How do you protect against phishing? How do you protect your outbound mail? In this talk…
I will focus on on-premises Exchange solutions But also 3rd party and cloud based solutions
AGENDA
SPF / DKIM / DMARC When time permits... S/MIME TLS
SPF / DKIM / DMARC
SENDER POLICY FRAMEWORK
SPF is validation process Is the sending server allowed to send email on behalf of the
sender’s domain? Organizations register information in public DNS about sending
email servers (in SPF Records) Receiving servers checks and compares information
SPF PROCESS
Mail server receives SMTP Connection Only checks RFC5321.MailFrom (domain name) Retrieve SPF record Compare SPF record against source IP address Pass = ok Fail = stamp header, quarantine, junk mail folder or block
message
SPF PROCESS
SPF DNS ENTRIES
SPF entries start with “v=spf1” Followed by sending mail server information
ip4, ip6, A or MX And followed by qualifier
pass (+), fail (-), softfail (~), neutral (?)
SPF DNS EXAMPLES
"v=spf1 mx -all“ (allow MX server to send mail, no others) "v=spf1 ip4:192.168.0.1/24 -all“ (allow servers in this range,
no others) "v=spf1 a:exchangelabs.nl ~all“ (all A records in this domain,
but not sure about others (softfail) Syntax info on http://www.openspf.org/SPF_Record_Syntax
CHECK SPF WITH MXTOOLBOX
SPF FAILURE
DOMAINKEYS IDENTIFIED MAIL (DKIM)
DKIM is about signing and verifying of email messages DKIM consists of two operations:
Signing of a message. Can be achieved by sending host or 3rd party service or appliance
Verifying of a message. Can be achieved by receiving host or 3rd party service or appliance
DKIM OVERVIEW
User sends email to recipient Mail server signs message header with
private key Recipient server checks DNS for public
key Recipient server decrypts and validates
message Recipient server stamps message header
DKIM DETAILS
What’s in the message headerv=1; a=rsa-sha256; d=Exchangelabs.nl; s=1471253148.exchangelabs; c=simple/simple; t=1476973767; h=from:subject:to:date:message-id; bh=v+ZL4UUHbKdCnlQ8PbkBAftTIsIQ2nhPcvQuh8CzvJQ=; b=cDASVnI0Cc8S95wyqF91qp1xLzA7r4W9VQxFiVl6aWcAhDfYyJfHgqgHlQQXSU+180aylOY1NBR 4RA8gzBR3NXrbzuAf7sRauo9E4QEGqn2zWRFei+/kTAHf+z4UwrarimP04PVKfE9Xk6+Iy4xqTh+u vg+Auh6HPfLZlxS2k68=
‘s’ is the selector key which identifies DNS records=1471253148.exchangelabs
SO, WHAT’S IN THE EMAIL HEADER?
‘s’ = Selector key, points to DNS record
DKIM DETAILS
DKIM DETAILS
After verification, receiving server stamps email with Authentication-Results headerspf=pass (sender IP is 176.62.196.244) smtp.mailfrom=Exchangelabs.nl; wesselius.info; dkim=pass (signature was verified) header.d=Exchangelabs.nl;wesselius.info; dmarc=pass action=none header.from=Exchangelabs.nl;wesselius.info; dkim=pass (signature was verified) header.d=Exchangelabs.nl;
DKIM IMPLEMENTATION
Exchange does not support DKIM natively Use 3rd party appliance, software or (cloud) service On github.com/Pro/dkim-exchange you can find DKIM
signing module for Exchange On http://dkim.org/deploy/index.html you can find more
deployment partners
DKIM PUBLIC AND PRIVATE KEY
Private key is used by sender (and only this sender!) for encryption
Public key is used by receiver for decryption and verification How to get a Public and Private key?
Online, for example via dkimcore.org (good idea?) OpenSSL
DOMAIN-BASED MESSAGE AUTHENTICATION, REPORTING & CONFORMANCE (DMARC) DMARC is email validation mechanism Implemented on top of SPF and DKIM DMARC is policy based
Policy is published in DNS Policy defines what to do if SPF or DKIM check fails Quarantine, reject or none
DMARC has reporting availability
DMARC PROCESS FLOW
User sends email, mail server inserts DKIM header Recipient server checks SPF and DKIM record Recipient server retrieves DMARC policy Recipient server applies policy Recipient server sends DMARC report
DMARC DETAILS
Example DNS Record:v=DMARC1;p=none;sp=none;pct=100;rua=mailto:[email protected]
P= policy, RUA = Reporting URI Optional: ADKIM = alignment mode for DKIM ASPF = alignment mode for SPF
DMARC REPORTS
Some platforms return DMARC reports to mailbox mentioned in DMARC DNS Record
DMARC Reports are XML files Need service like Dmarcian or Agari to analyze DMARC Reports Or use script: http://bit.ly/DMARCScript
DMARCIAN-EU.COM
HOW TO GET STARTED?
Start analyzing your reputation Implement DMARC, policy=none, reports to Dmarcian or own
reporting Mailbox Inventory of your email sources (can be extremely complex)
Office mail, bulk mail, website forms, invoices etc. If you have a solid view on your email, implement DKIM and SPF
3RD PARTY (CLOUD) SOLUTIONS
EOP supports SPF, DKIM and DMARC out of the box Create DNS CNAME Records Turn on DKIM signing in Exchange Admin Center Check Gareth Gudger’s blogpost: http://bit.ly/2e0XHZw Same process for other vendors like Symantec Cloud (Brightmail
SMTP gateway) Cisco IronPort has DKIM and DMARC modules
DKIM IN OFFICE 365
OTHER 3RD PARTY VENDORS
Symantec MessageLabs MimeCast ProofPoint IronPort Barracuda TrendMicro More on http://dkim.org/deploy/
SUMMARY
SPF, DKIM and DMARC are used for authentication purposes, both inbound and outbound
DKIM and DMARC are not supported by Exchange on-premises Use 3rd party solution for DKIM and DMARC Start with implementing DMARC for analyzing email reputation
Silver Sponsors
Gold Sponsors
Bronze Sponsors
S/MIME
S/MIME
S/MIME is all about client signing and encryption Secure/Multipurpose Internet Mail Extensions S/MIME is based on Digital ID (Certificate) Signing based on private key Verify based on public key Encryption based on public key Decryption basd on private key
ADD AND VERIFY S/MIME SIGNATURE
Question: What happens if server adds a disclaimer?
S/MIME SIGNATURE
ENCRYPT AN OUTBOUND MESSAGE
Need recipient’s public key for encryption purposes But how do I get this public key?
TLS
S/MIME USER EXPERIENCES
Imagine your CEO needs to do all this Or there is a legal requirement to encrypt or sign.... And users forget to to
so.... Internal messaging is not really an issue But external messaging prone to (user) error
TRANSPORT LAYER SECURITY
TLS is server to server encryption and authentication Exchange uses ‘opportunistic TLS’
Used whenever possible Exchange can use Self-Signed Certificate Only for encryption, not for authentication
TRANSPORT LAYER SECURITY
Forced TLS implemented as ‘Domain Security’ Servers authenticate and encrypt No authentication? No mailflow Need proper SSL certificates, dedicated Send Connectors and possibly
Receive Connectors Transport configuration need to be configured for both domains
TRANSPORT LAYER SECURITY
Whenever possible Exchange uses server to server encryption Encryption, no authentication For authentication use Domain Security Configured on a per-domain basis No need for user action
SUMMARY
SUMMARY
SPF, DKIM and DMARC are used for authentication purposes, both inbound and outbound
Use 3rd party solution for DKIM and DMARC Start with implementing DMARC for analyzing email reputation S/MIME is client based solution for signing and encryption Has some sharp edges that can hurt end users TLS is used for server to server encryption
Silver Sponsors
Gold Sponsors
Bronze Sponsors