Securing, Protecting, and Managing the Flow of Corporate CommunicationsGetting mailflow right
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
Dave StorkTechnical Consultant
OGD ict-diensten
QR: URL to Presentation
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
Who am I?Dave Stork• Technical consultant @ OGD ict-diensten
• Based in The Netherlands (EU)
• Microsoft Office Apps and Services MVP• Mail: [email protected]
• Twitter: @dmstork
• Blog: https://dirteam.com/dave
Interesting Facts:
• Science & Sci-Fi nut• I co-wrote/tech reviewed books!
• www.practicalpowershell.com
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
Topics•A short SMTP intro
•Filtering mail
•Securing mail transport
•Encrypting mail
•Spoofing and how to mitigate
•Q & A
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
A short SMTP intro
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
Definitions• Banner
• EHLO/HELO
• EHLO Response
• MAIL FROM:
• RCPT TO:
• DATA• Includes mail headers
Received: from dc10 (10.0.10.10) by mail.lab2010.com (10.0.10.20) with Microsoft SMTP Server id 14.3.301.0; Mon, 23 Apr 2018 11:00:19 +0200
From: <[email protected]>
Subject: spoof test
To: [email protected];
Return-Path: [email protected]
Message HeadersSMTP delivery
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
Filtering mail
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
Filtering mailSome spam filtering concepts:
• Recipient filtering
• Tar pitting
• Reverse DNS
• Connection/content filtering...
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
Filtering mailBest practice: Use a cloud provider!
• Exchange Online Protection, MessageLabs, Etc.
Why?
• They take care of most things faster than most admins
• It’s an arms race; machine learning based on big data
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
Securing mail transport
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
SMTP TLS TransportOpportunistic TLS
• Best effort encryption: fallback to lower or unencrypted SMTP
• Certificate based
• EHLO response with server FQDN; i.e. mail.contoso.com
• Certificate name must be equal to EHLO
• Certificate does not have to be trusted
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
SMTP TLS TransportMutual TLS / Domain Security
• Forced authentication & encryption: no fallback
• Certificate based
• Configured per mail domain (connectors for each domain)
• Trusted certificate with name corresponding with EHLO
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
SMTP TLS TransportDANE
• DNS-Based Authentication of Named Entities (DANE); RFC7672
• Certificate based
• Ensures mail server target found in DNS is correct (and not spoofed via DNS cache poison etc)
• DNSSEC required
• Prevents downgrade attacks of SMTP TLS (for instance due to MitM attack)
• No Trusted Certificate required
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
SMTP TLS TransportWhat is SMTP Strict Transport Security?
• Uses DNS to check list of valid public keys of certificate: • TXT record under _smtp_sts.contoso.com
• Checks certificate with list & Certificate Authority + Trust-on-First-Use
• Failure reporting & handling
• No DNSSEC required: little bit less secure as DANE
Can we use it?
• Currently a protocol draft at the IETF: draft-margolis-smtp-sts-00
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
Encrypting mail
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
S/MIMEUser level signing or signing and encryption of individual mails
• Certificate based
• Sender & receiver require each others public key before encryption is possible
• Limited client compatibility
• Cumbersome configuration and required on each client
• Solutions that change content of mail will break S/MIME
PGP has a comparable experience
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
Office 365 Message Encryption (OME)Sending encrypted mail messages
• Fully based on Rights Management Services/Information Protection
• Mail is encrypted and sent to external recipient
• Partner opens mail• When on O365: auto decrypted
• When on other: “hosted” on O365 for viewing using OTP, other idP(Google, Yahoo, MSA).
Lot of other solutions with similar experience (i.e. Egress, open source)
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
OME
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
OME
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
OME
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
OME
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
Spoofing and how to mitigate
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
What is spoofing?The creation of email messages with a forgedsender address
Organizational mitigations:•SPF•DKIM•DMARC
Results in Authenticated mail
Received: from dc10 (10.0.10.10) by mail.lab2010.com (10.0.10.20) with Microsoft SMTP Server id 14.3.301.0; Mon, 23 Apr 2018 11:00:19 +0200
From: <[email protected]>
Subject: spoof test
To: [email protected];
Return-Path: [email protected]
RFC5321.From
RFC5322.From
Message HeadersSMTP delivery
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
What does SPF do?Sender Policy Framework
• Public list of servers that are allowed to mail for yourdomain
• Public as in: Public DNS TXT record
• Recipient servers can check AT CONNECTION whetherincoming IP is on that allow list
• Based on domain from MAIL FROM or EHLO
• Recipient organization may choose to receive, quarantineor reject those mails
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
SPF SyntaxAction
+ Pass (default, can be omitted)
- Fail
~ Softfail
? Neutral
Match
IP4 Ipv4 address or range
IP6 Ipv6 address or range
A DNS A records for domain
MX DNS MX records for domain
INCLUDE Include spf of other domain
ALL Always matches (catch all).
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
SPF Syntax• Example
• v=spf1 ip4:87.213.105.253 include:spf.protection.outlook.cominclude:servers.mcsv.net ~all (OGD.nl)
• v=spf1 mx a:www.tweedekamer.nl ip4:213.207.90.158 include:_spf.intermax.nl –all (Tweede Kamer)
• v=spf1 –all (aivd.nl)
• Max 10 DNS lookup, cumulative (include, MX etc. included)
• When Include fails; no negative effect
• Max string length of TXT record is 255 bytes
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
SPF Caveats• You have to know every mail server that uses your domain
• Mailing services like MailChimp, SaaS
• Legitimate forwarding could be broken
• i.e. Mailinglists
• No protection to From: header spoofing (RFC5322.From)
• Subdomains require explicit SPF record
[email protected] [email protected]
EHLO contoso.comMAIL FROM: [email protected] TO: [email protected]: [email protected]
EHLO fabrikam.comMAIL FROM: [email protected] TO: [email protected]: [email protected]
Mitigation in Fabrikam could be Sender Rewriting Schemebounces+SRS=#as#[email protected]
SPF Caveats: forwards
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
What does DKIM do?DomainKeys Identified Mail
• Signs messages leaving the organization
• Private/Public Key construction• Signed with Private Key• Recipient organization verifies with Public Key
• Public Key information in public DNS record
• This way recipients know:• Domain owner takes responsibility• If message has been changed in transit
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
DKIM in DNS• <selector>._domainkey.contoso.com
• TXT• Includes public key
• CNAME • Other record, for instance:
selector1-contoso-com._domainkey.contoso.onmicrosoft.com
• You can have multiple selectors either TXT or CNAME
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
DKIM Syntax
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
What does DMARC do?Domain-based Message Authentication, Reporting & Conformance
• Checks incoming mail based on RFC5322.From domain• This is what users see in Display Name etc..• Includes results from SPF and DKIM checks
• Sender organization can suggest actions when SPF and/or DKIM fail
• Sender organization can receive reports
• Subdomains can have different policy from main domain
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
DMARC in DNS• Txt record in the form of “_dmarc.your_domain.com.”
• Subdomain first checks subdomain dns, if not present on subdomain, uses organizational domain. • @service.marketing.ogd.nl >
_dmarc.service.marketing.ogd.nl
• If not existing > _dmarc.ogd.nl
• If no dns record is found, dmarc check is skipped.
Tag Short description Value Required?/default
V Protocol version, for now its version 1 DMARC1 Required
P Policy for organizational domain None, Quarantine, Reject Required
SP Policy for subdomains of the organizational domain
None, Quarantine, Reject Optional, if not explicitly defined SP is same as P
PCT Percentage of messages subjected to filtering 0-100 Optional (default is 100)
FO Reporting options 0,1,d,s Optional
RUF For reporting of forensic reports Mail address Optional (Required if FO= is used)
RUA For reporting of aggregate reports Mail address Optional
ADKIM Alignment mode for DKIM (relaxed or strict) R, S Optional / Default is Relaxed
ASPF Alignment mode for SPF (relaxed or strict) R, S Optional / Default is Relaxed
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
DMARC Syntax• Example
• v=DMARC1; p=quarantine; ruf=mailto:[email protected]; rua=mailto:[email protected]; fo=1
• v=DMARC1; p=quarantine; rua=mailto:[email protected]; ruf=mailto:[email protected]; adkim=s; aspf=r; sp=reject; fo=1; pct=100
Putting SPF, DKIM and DMARC together
Client sends mail
Server signs and sends the
InternetServer receives
mail deliver request
SPF check
DKIM check DMARC check
Extra filtering or delivery
DNS
1. Client sends a mail2. Server signs with DKIM and sends the mail
over the internet
3. Receiving server gets a connection request to accept mail4. Starts with a SPF check5. Simultaneously starts a DKIM check6. Then starts with the DMARC check
A. Checks DNS for DMARC policyB. Checks the results of the SPF (RFC5321.from) and DKIM (d=) with RFC5322.FromC. Applies DMARC policy according to the DNS record
7. If everything passes (depending on policy) the mail gets delivered to the receiving client or is subjected to additional filtering
Schematics provided by OGD ict diensten
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
• Example• v=DMARC1; p=quarantine; ruf=mailto:[email protected];
rua=mailto:[email protected]; fo=1
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
Best practices• Protect all your domains, even if you don’t mail from
them. • SPF: “V=spf1 –all”• DMARC: “V=DMARC1;p=reject”
• Protect your subdomains, even if you don’t mail fromthem• SPF: “V=spf1 –all”• DMARC: Add “sp=reject” on organization domain
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
Best practices• Implement a process for changes to SPF, DKIM and
DMARC• Make sure every change goes through someone that
knows how it works• Do a regular check to see if SPF, DKIM and DMARC
are still configured correctly
• Demand DKIM from mailing services (Mailchimp and thelike)• If not possible, consider using a subdomain for it;
this way your domain can be kept strict• Use at least 1024 bit strength (default in O365)
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
Best practices• Make DMARC stricter after a test period.
• 1. P=none, sp=quarantine or reject• 2. P=quarantine, sp=reject• 3. P=reject• Optional: Use pct to limit impact
• Warn users for mailinglists that do not use DKIM and/or do not use Sender Rewrite Scheme.• Forwarding from Outlook or with a mail rule is no
issue as the old mail is attached in new mail.
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
Not talked about:Alignment:
• DMARC Relaxed vs strict• Relaxed = organizational domain must match (marketing.ogd.nl matches
ogd.nl)
• Strict = FQDN must match (marketing.ogd.nl does not match ogd.nl)
• DKIM Alignment• Make sure that mailing services sign DKIM with correct domain at d=
Authenticated Received Chain (ARC)• ARC preserves email authentication results across subsequent
intermediaries
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
Questions?
