Securing, Protecting, and Managing the Flow of Corporate Communications Getting mailflow right Dave Stork Technical Consultant OGD ict-diensten QR: URL to Presentation
Who am I? Dave Stork Technical consultant @ OGD ict-diensten Based in The Netherlands (EU) Microsoft Office Apps and Services MVP Mail: dave.stork@ogd.nl Twitter: @dmstork Blog: https://dirteam.com/dave Interesting Facts: Science & Sci-Fi nut I co-wrote/tech reviewed books! www.practicalpowershell.com
Topics A short SMTP intro Filtering mail Securing mail transport Encrypting mail Spoofing and how to mitigate Q & A
A short SMTP intro
Definitions Banner EHLO/HELO EHLO Response MAIL FROM: RCPT TO: DATA Includes mail headers
SMTP delivery Message Headers Received: from dc10 (10.0.10.10) by mail.lab2010.com (10.0.10.20) with Microsoft SMTP Server id 14.3.301.0; Mon, 23 Apr 2018 11:00:19 +0200 From: <ditisnep@sppoooof.com> Subject: spoof test To: administrator@lab2010.com; Return-Path: bounce@bounce.contoso.com
Filtering mail
Filtering mail Some spam filtering concepts: Recipient filtering Tar pitting Reverse DNS Connection/content filtering...
Filtering mail Best practice: Use a cloud provider! Exchange Online Protection, MessageLabs, Etc. Why? They take care of most things faster than most admins It s an arms race; machine learning based on big data
Securing mail transport
SMTP TLS Transport Opportunistic TLS Best effort encryption: fallback to lower or unencrypted SMTP Certificate based EHLO response with server FQDN; i.e. mail.contoso.com Certificate name must be equal to EHLO Certificate does not have to be trusted
SMTP TLS Transport Mutual TLS / Domain Security Forced authentication & encryption: no fallback Certificate based Configured per mail domain (connectors for each domain) Trusted certificate with name corresponding with EHLO
SMTP TLS Transport DANE DNS-Based Authentication of Named Entities (DANE); RFC7672 Certificate based Ensures mail server target found in DNS is correct (and not spoofed via DNS cache poison etc) DNSSEC required Prevents downgrade attacks of SMTP TLS (for instance due to MitM attack) No Trusted Certificate required
SMTP TLS Transport What is SMTP Strict Transport Security? Uses DNS to check list of valid public keys of certificate: TXT record under _smtp_sts.contoso.com Checks certificate with list & Certificate Authority + Trust-on-First- Use Failure reporting & handling No DNSSEC required: little bit less secure as DANE Can we use it? Currently a protocol draft at the IETF: draft-margolis-smtp-sts-00
Encrypting mail
S/MIME User level signing or signing and encryption of individual mails Certificate based Sender & receiver require each others public key before encryption is possible Limited client compatibility Cumbersome configuration and required on each client Solutions that change content of mail will break S/MIME PGP has a comparable experience
Office 365 Message Encryption (OME) Sending encrypted mail messages Fully based on Rights Management Services/Information Protection Mail is encrypted and sent to external recipient Partner opens mail When on O365: auto decrypted When on other: hosted on O365 for viewing using OTP, other idp (Google, Yahoo, MSA). Lot of other solutions with similar experience (i.e. Egress, open source)
OME
OME
OME
OME
Spoofing and how to mitigate
What is spoofing? The creation of email messages with a forged sender address Organizational mitigations: SPF DKIM DMARC Results in Authenticated mail
SMTP delivery Message Headers Received: from dc10 (10.0.10.10) by mail.lab2010.com (10.0.10.20) with Microsoft SMTP Server id 14.3.301.0; Mon, 23 Apr 2018 11:00:19 +0200 RFC5322.From From: <ditisnep@sppoooof.com> Subject: spoof test To: administrator@lab2010.com; Return-Path: bounce@bounce.contoso.com RFC5321.From
What does SPF do? Sender Policy Framework Public list of servers that are allowed to mail for your domain Public as in: Public DNS TXT record Recipient servers can check AT CONNECTION whether incoming IP is on that allow list Based on domain from MAIL FROM or EHLO Recipient organization may choose to receive, quarantine or reject those mails
SPF Syntax Action + Pass (default, can be omitted) - Fail ~ Softfail? Neutral Match IP4 IP6 A MX INCLUDE ALL Ipv4 address or range Ipv6 address or range DNS A records for domain DNS MX records for domain Include spf of other domain Always matches (catch all).
SPF Syntax Example v=spf1 ip4:87.213.105.253 include:spf.protection.outlook.com include:servers.mcsv.net ~all (OGD.nl) v=spf1 mx a:www.tweedekamer.nl ip4:213.207.90.158 include:_spf.intermax.nl all (Tweede Kamer) v=spf1 all (aivd.nl) Max 10 DNS lookup, cumulative (include, MX etc. included) When Include fails; no negative effect Max string length of TXT record is 255 bytes
SPF Caveats You have to know every mail server that uses your domain Mailing services like MailChimp, SaaS Legitimate forwarding could be broken i.e. Mailinglists No protection to From: header spoofing (RFC5322.From) Subdomains require explicit SPF record
SPF Caveats: forwards EHLO contoso.com MAIL FROM: dave@contoso.com RCPT TO: group@fabrikam.com From: dave@contoso.com group@fabrikam.com EHLO fabrikam.com MAIL FROM: dave@contoso.com RCPT TO: willem@wingtoys.com From: dave@contoso.com dave@contoso.com willem@wingtoys.com Mitigation in Fabrikam could be Sender Rewriting Scheme bounces+srs=#as#=12000000=contoso.com=dave@fabrikam.com
What does DKIM do? DomainKeys Identified Mail Signs messages leaving the organization Private/Public Key construction Signed with Private Key Recipient organization verifies with Public Key Public Key information in public DNS record This way recipients know: Domain owner takes responsibility If message has been changed in transit
DKIM in DNS <selector>._domainkey.contoso.com TXT Includes public key CNAME Other record, for instance: selector1-contosocom._domainkey.contoso.onmicrosoft.com You can have multiple selectors either TXT or CNAME
DKIM Syntax
What does DMARC do? Domain-based Message Authentication, Reporting & Conformance Checks incoming mail based on RFC5322.From domain This is what users see in Display Name etc.. Includes results from SPF and DKIM checks Sender organization can suggest actions when SPF and/or DKIM fail Sender organization can receive reports Subdomains can have different policy from main domain
DMARC in DNS Txt record in the form of _dmarc.your_domain.com. Subdomain first checks subdomain dns, if not present on subdomain, uses organizational domain. @service.marketing.ogd.nl > _dmarc.service.marketing.ogd.nl If not existing > _dmarc.ogd.nl If no dns record is found, dmarc check is skipped.
Tag Short description Value Required?/default V Protocol version, for now its version 1 DMARC1 Required P Policy for organizational domain None, Quarantine, Reject Required SP Policy for subdomains of the organizational domain None, Quarantine, Reject Optional, if not explicitly defined SP is same as P PCT Percentage of messages subjected to filtering 0-100 Optional (default is 100) FO Reporting options 0,1,d,s Optional RUF For reporting of forensic reports Mail address Optional (Required if FO= is used) RUA For reporting of aggregate reports Mail address Optional ADKIM Alignment mode for DKIM (relaxed or strict) R, S Optional / Default is Relaxed ASPF Alignment mode for SPF (relaxed or strict) R, S Optional / Default is Relaxed
DMARC Syntax Example v=dmarc1; p=quarantine; ruf=mailto:dmarc_ruf@ogd.nl; rua=mailto:dmarc_rua@ogd.nl; fo=1 v=dmarc1; p=quarantine; rua=mailto:jxduktlu@ag.dmarcian.com; ruf=mailto:jxduktlu@fr.dmarcian.com; adkim=s; aspf=r; sp=reject; fo=1; pct=100
Putting SPF, DKIM and DMARC together Schematics provided by OGD ict diensten Client sends mail SPF check Extra filtering or delivery Server signs and sends the mail Internet Server receives mail deliver request DKIM check DMARC check DNS 1. Client sends a mail 2. Server signs with DKIM and sends the mail over the internet 3. Receiving server gets a connection request to accept mail 4. Starts with a SPF check 5. Simultaneously starts a DKIM check 6. Then starts with the DMARC check A. Checks DNS for DMARC policy B. Checks the results of the SPF (RFC5321.from) and DKIM (d=) with RFC5322.From C. Applies DMARC policy according to the DNS record 7. If everything passes (depending on policy) the mail gets delivered to the receiving client or is subjected to additional filtering
Example v=dmarc1; p=quarantine; ruf=mailto:dmarc_ruf@ogd.nl; rua=mailto:dmarc_rua@ogd.nl; fo=1
Best practices Protect all your domains, even if you don t mail from them. SPF: V=spf1 all DMARC: V=DMARC1;p=reject Protect your subdomains, even if you don t mail from them SPF: V=spf1 all DMARC: Add sp=reject on organization domain
Best practices Implement a process for changes to SPF, DKIM and DMARC Make sure every change goes through someone that knows how it works Do a regular check to see if SPF, DKIM and DMARC are still configured correctly Demand DKIM from mailing services (Mailchimp and the like) If not possible, consider using a subdomain for it; this way your domain can be kept strict Use at least 1024 bit strength (default in O365)
Best practices Make DMARC stricter after a test period. 1. P=none, sp=quarantine or reject 2. P=quarantine, sp=reject 3. P=reject Optional: Use pct to limit impact Warn users for mailinglists that do not use DKIM and/or do not use Sender Rewrite Scheme. Forwarding from Outlook or with a mail rule is no issue as the old mail is attached in new mail.
Not talked about: Alignment: DMARC Relaxed vs strict Relaxed = organizational domain must match (marketing.ogd.nl matches ogd.nl) Strict = FQDN must match (marketing.ogd.nl does not match ogd.nl) DKIM Alignment Make sure that mailing services sign DKIM with correct domain at d= Authenticated Received Chain (ARC) ARC preserves email authentication results across subsequent intermediaries
Questions?