Securing, Protecting, and Managing the Flow of Corporate Communications

Transcription

1 Securing, Protecting, and Managing the Flow of Corporate Communications Getting mailflow right Dave Stork Technical Consultant OGD ict-diensten QR: URL to Presentation

2 Who am I? Dave Stork Technical OGD ict-diensten Based in The Netherlands (EU) Microsoft Office Apps and Services MVP Mail: dave.stork@ogd.nl Blog: Interesting Facts: Science & Sci-Fi nut I co-wrote/tech reviewed books!

3 Topics A short SMTP intro Filtering mail Securing mail transport Encrypting mail Spoofing and how to mitigate Q & A

4 A short SMTP intro

5 Definitions Banner EHLO/HELO EHLO Response MAIL FROM: RCPT TO: DATA Includes mail headers

6 SMTP delivery Message Headers Received: from dc10 ( ) by mail.lab2010.com ( ) with Microsoft SMTP Server id ; Mon, 23 Apr :00: From: Subject: spoof test To: Return-Path:

7 Filtering mail

8 Filtering mail Some spam filtering concepts: Recipient filtering Tar pitting Reverse DNS Connection/content filtering...

9 Filtering mail Best practice: Use a cloud provider! Exchange Online Protection, MessageLabs, Etc. Why? They take care of most things faster than most admins It s an arms race; machine learning based on big data

10 Securing mail transport

11 SMTP TLS Transport Opportunistic TLS Best effort encryption: fallback to lower or unencrypted SMTP Certificate based EHLO response with server FQDN; i.e. mail.contoso.com Certificate name must be equal to EHLO Certificate does not have to be trusted

12 SMTP TLS Transport Mutual TLS / Domain Security Forced authentication & encryption: no fallback Certificate based Configured per mail domain (connectors for each domain) Trusted certificate with name corresponding with EHLO

13 SMTP TLS Transport DANE DNS-Based Authentication of Named Entities (DANE); RFC7672 Certificate based Ensures mail server target found in DNS is correct (and not spoofed via DNS cache poison etc) DNSSEC required Prevents downgrade attacks of SMTP TLS (for instance due to MitM attack) No Trusted Certificate required

14 SMTP TLS Transport What is SMTP Strict Transport Security? Uses DNS to check list of valid public keys of certificate: TXT record under _smtp_sts.contoso.com Checks certificate with list & Certificate Authority + Trust-on-First- Use Failure reporting & handling No DNSSEC required: little bit less secure as DANE Can we use it? Currently a protocol draft at the IETF: draft-margolis-smtp-sts-00

15 Encrypting mail

16 S/MIME User level signing or signing and encryption of individual mails Certificate based Sender & receiver require each others public key before encryption is possible Limited client compatibility Cumbersome configuration and required on each client Solutions that change content of mail will break S/MIME PGP has a comparable experience

17 Office 365 Message Encryption (OME) Sending encrypted mail messages Fully based on Rights Management Services/Information Protection Mail is encrypted and sent to external recipient Partner opens mail When on O365: auto decrypted When on other: hosted on O365 for viewing using OTP, other idp (Google, Yahoo, MSA). Lot of other solutions with similar experience (i.e. Egress, open source)

18 OME

19 OME

20 OME

21 OME

22 Spoofing and how to mitigate

23 What is spoofing? The creation of messages with a forged sender address Organizational mitigations: SPF DKIM DMARC Results in Authenticated mail

24 SMTP delivery Message Headers Received: from dc10 ( ) by mail.lab2010.com ( ) with Microsoft SMTP Server id ; Mon, 23 Apr :00: RFC5322.From From: Subject: spoof test To: Return-Path: RFC5321.From

25

26 What does SPF do? Sender Policy Framework Public list of servers that are allowed to mail for your domain Public as in: Public DNS TXT record Recipient servers can check AT CONNECTION whether incoming IP is on that allow list Based on domain from MAIL FROM or EHLO Recipient organization may choose to receive, quarantine or reject those mails

27 SPF Syntax Action + Pass (default, can be omitted) - Fail ~ Softfail? Neutral Match IP4 IP6 A MX INCLUDE ALL Ipv4 address or range Ipv6 address or range DNS A records for domain DNS MX records for domain Include spf of other domain Always matches (catch all).

28 SPF Syntax Example v=spf1 ip4: include:spf.protection.outlook.com include:servers.mcsv.net ~all (OGD.nl) v=spf1 mx a: ip4: include:_spf.intermax.nl all (Tweede Kamer) v=spf1 all (aivd.nl) Max 10 DNS lookup, cumulative (include, MX etc. included) When Include fails; no negative effect Max string length of TXT record is 255 bytes

29 SPF Caveats You have to know every mail server that uses your domain Mailing services like MailChimp, SaaS Legitimate forwarding could be broken i.e. Mailinglists No protection to From: header spoofing (RFC5322.From) Subdomains require explicit SPF record

30 SPF Caveats: forwards EHLO contoso.com MAIL FROM: RCPT TO: From: EHLO fabrikam.com MAIL FROM: RCPT TO: From: Mitigation in Fabrikam could be Sender Rewriting Scheme

31 What does DKIM do? DomainKeys Identified Mail Signs messages leaving the organization Private/Public Key construction Signed with Private Key Recipient organization verifies with Public Key Public Key information in public DNS record This way recipients know: Domain owner takes responsibility If message has been changed in transit

32 DKIM in DNS <selector>._domainkey.contoso.com TXT Includes public key CNAME Other record, for instance: selector1-contosocom._domainkey.contoso.onmicrosoft.com You can have multiple selectors either TXT or CNAME

33 DKIM Syntax

34 What does DMARC do? Domain-based Message Authentication, Reporting & Conformance Checks incoming mail based on RFC5322.From domain This is what users see in Display Name etc.. Includes results from SPF and DKIM checks Sender organization can suggest actions when SPF and/or DKIM fail Sender organization can receive reports Subdomains can have different policy from main domain

35 DMARC in DNS Txt record in the form of _dmarc.your_domain.com. Subdomain first checks subdomain dns, if not present on subdomain, uses organizational > _dmarc.service.marketing.ogd.nl If not existing > _dmarc.ogd.nl If no dns record is found, dmarc check is skipped.

36 Tag Short description Value Required?/default V Protocol version, for now its version 1 DMARC1 Required P Policy for organizational domain None, Quarantine, Reject Required SP Policy for subdomains of the organizational domain None, Quarantine, Reject Optional, if not explicitly defined SP is same as P PCT Percentage of messages subjected to filtering Optional (default is 100) FO Reporting options 0,1,d,s Optional RUF For reporting of forensic reports Mail address Optional (Required if FO= is used) RUA For reporting of aggregate reports Mail address Optional ADKIM Alignment mode for DKIM (relaxed or strict) R, S Optional / Default is Relaxed ASPF Alignment mode for SPF (relaxed or strict) R, S Optional / Default is Relaxed

37 DMARC Syntax Example v=dmarc1; p=quarantine; fo=1 v=dmarc1; p=quarantine; adkim=s; aspf=r; sp=reject; fo=1; pct=100

38 Putting SPF, DKIM and DMARC together Schematics provided by OGD ict diensten Client sends mail SPF check Extra filtering or delivery Server signs and sends the mail Internet Server receives mail deliver request DKIM check DMARC check DNS 1. Client sends a mail 2. Server signs with DKIM and sends the mail over the internet 3. Receiving server gets a connection request to accept mail 4. Starts with a SPF check 5. Simultaneously starts a DKIM check 6. Then starts with the DMARC check A. Checks DNS for DMARC policy B. Checks the results of the SPF (RFC5321.from) and DKIM (d=) with RFC5322.From C. Applies DMARC policy according to the DNS record 7. If everything passes (depending on policy) the mail gets delivered to the receiving client or is subjected to additional filtering

39 Example v=dmarc1; p=quarantine; fo=1

40 Best practices Protect all your domains, even if you don t mail from them. SPF: V=spf1 all DMARC: V=DMARC1;p=reject Protect your subdomains, even if you don t mail from them SPF: V=spf1 all DMARC: Add sp=reject on organization domain

41 Best practices Implement a process for changes to SPF, DKIM and DMARC Make sure every change goes through someone that knows how it works Do a regular check to see if SPF, DKIM and DMARC are still configured correctly Demand DKIM from mailing services (Mailchimp and the like) If not possible, consider using a subdomain for it; this way your domain can be kept strict Use at least 1024 bit strength (default in O365)

42 Best practices Make DMARC stricter after a test period. 1. P=none, sp=quarantine or reject 2. P=quarantine, sp=reject 3. P=reject Optional: Use pct to limit impact Warn users for mailinglists that do not use DKIM and/or do not use Sender Rewrite Scheme. Forwarding from Outlook or with a mail rule is no issue as the old mail is attached in new mail.

43 Not talked about: Alignment: DMARC Relaxed vs strict Relaxed = organizational domain must match (marketing.ogd.nl matches ogd.nl) Strict = FQDN must match (marketing.ogd.nl does not match ogd.nl) DKIM Alignment Make sure that mailing services sign DKIM with correct domain at d= Authenticated Received Chain (ARC) ARC preserves authentication results across subsequent intermediaries

44 Questions?