Securing, Protecting, and Managing the Flow of Corporate Communications

Similar documents
Office 365: Secure configuration

M 3 AAWG DMARC Training Series. Mike Adkins, Paul Midgen DMARC.org October 22, 2012

Anti-Spoofing. Inbound SPF Settings

A Federal Agency Guide to Complying with Binding Operational Directive (BOD) 18-01

M 3 AAWG DMARC Training Series. Mike Adkins, Paul Midgen DMARC.org October 22, 2012

building an effective action plan for the Department of Homeland Security

Security by Any Other Name:

Towards authentication

Communicator. Branded Sending Domain July Branded Sending Domain

SMTP Settings for Magento 2

M 3 AAWG DMARC Training Series. Mike Adkins, Paul Midgen DMARC.org October 22, 2012

ISSN: March Domain-based Message Authentication, Reporting, and Conformance (DMARC)

Design and Implementation of a DMARC Verification Result Notification System

Office 365 Standalone Security

2016 Online Trust Audit Authentication Practices Deep Dive & Reality Check

Defining Which Hosts Are Allowed to Connect Using the Host Access Table

Defining Which Hosts Are Allowed to Connect Using the Host Access Table

Building a Scalable, Service-Centric Sender Policy Framework (SPF) System

SMTP Relay set up. Technical team

How to Configure Esva for Office365

Mail Assure. Quick Start Guide

DMARC ADOPTION AMONG e-retailers

Automatic Delivery Setup Guide

Step 2 - Deploy Advanced Security for Exchange Server

PROTECTION. ENCRYPTION. LARGE FILES.

TrendMicro Hosted Security. Best Practice Guide

DMARC ADOPTION AMONG e-retailers

Designing an open source DMARC aggregation tool

Office 365 Inbound and Outbound SMX configuration. 4 th January 2018

MDaemon Vs. Kerio Connect

Automatic Delivery Setup Guide

To create a few test accounts during the evaluation period, use the Manually Add Users steps.

Forward set up. Technical team

Ciphermail Webmail Messenger Administration Guide

MDaemon Vs. IceWarp Unified Communications Server

MDaemon Vs. MailEnable Enterprise Premium

MDaemon Vs. MailEnable Enterprise Premium

Mail Assure Quick Start Guide

Untitled Page. Help Documentation

Using Centralized Security Reporting

Final exam in. Web Security EITF05. Department of Electrical and Information Technology Lund University

Applications Area Working Group. Intended status: Informational. D. Kodama BIGLOBE Inc. K. Okada Lepidum Co. Ltd. July 28, 2017

Getting Started with DMARC A Guide for Federal Agencies Complying with BOD 18-01

Best Practices. Kevin Chege

anti-spam techniques beyond Bayesian filters

DomainKeys Identified Mail Overview (-01) Eric Allman Sendmail, Inc.

Using Trustwave SEG Cloud with Exchange Online

DKIM Base Issue Review IETF 66 Montréal. Eric Allman

Are You Protecting Your & Your Customers? Learnings from the 2017 OTA Trust Audit. August 1, 2017

Secure the connections of mail servers

Symantec ST Symantec Messaging Gateway Download Full Version :

Setting up Microsoft Office 365

How to Configure Office 365 for Inbound and Outbound Mail

Competitive Matrix - IRONSCALES vs Alternatives

FRAUD DEFENSE: How To Fight The Next Generation of Targeted BEC Attacks

Installation & Configuration Guide Version 1.4

MDaemon Vs. Zimbra Network Edition Professional

Symantec ST0-250 Exam

SPF (Sender Policy Framework)

Getting Started with DMARC. A Guide for Federal Agencies Complying with BOD 18-01

M 3 AAWG DMARC Training Series. Mike Adkins, Paul Midgen DMARC.org October 22, 2012

MDaemon Vs. SmarterMail Enterprise Edition

Instructions Microsoft Outlook 2003 Page 1

MDaemon Vs. Kerio Connect

Based on material produced by among others: Sanjay Pol, Ashok Ramaswami, Jim Fenton and Eric Allman

Managing Spam. To access the spam settings in admin panel: 1. Login to the admin panel by entering valid login credentials.

Using Trustwave SEG Cloud with Cloud-Based Solutions

SPF classic. Przemek Jaroszewski CERT Polska / NASK The 17th TF-CSIRT and FIRST joint Event, Amsterdam, January 2006

MDaemon Vs. SmarterMail Enterprise Edition

Instructions Microsoft Outlook 2007 Page 1

DMARC ADOPTION AMONG

WHITEPAPER Rewrite Services. Power365 Integration Pro

MDaemon Vs. Microsoft Exchange Server 2016 Standard

Instructions Microsoft Outlook 2013 Page 1

MDaemon Vs. SmarterMail Enterprise Edition

CS 356 Internet Security Protocols. Fall 2013

This post documents the basic steps that should be performed after installing Exchange I perform the following steps:

On the Surface. Security Datasheet. Security Datasheet

Instructions Eudora OSE Page 1

About Us. Overview Integrity Audit Fighting Malicious & Deceptive August 13, 2014

Instructions Microsoft Outlook 2010 Page 1

DMARC ADOPTION AMONG. SaaS 1000 Q Featuring Matthew Vernhout (CIPP/C) Director of Privacy, 250ok

Introduction to Network. Topics

DMARC ADOPTION AMONG

MDaemon Vs. Microsoft Exchange Server 2016 Standard

Fireware-Essentials. Number: Fireware Essentials Passing Score: 800 Time Limit: 120 min File Version: 7.

Teach Me How: B2B Deliverability in a B2C World

MDaemon Vs. SmarterMail Enterprise Edition

BEST PRACTICES FOR PERSONAL Security

DMARC ADOPTION AMONG. SaaS 1000 Q Featuring Matthew Vernhout (CIPP/C) Director of Privacy, 250ok

Implementation Guide for Delivery Notification in Direct

Connecting to Mimecast

Handling unwanted . What are the main sources of junk ?

DKIM Implementation How

Extract of Summary and Key details of Symantec.cloud Health check Report

Security and Privacy

Version SurfControl RiskFilter - Administrator's Guide

DNS Management Guide. Read our Blog: View our support site:

The Anti-Impersonation Company. Date: May 2 nd, ValiMail. All Rights Reserved. Confidential and Proprietary.

WeCloud Security. Administrator's Guide

Transcription:

Securing, Protecting, and Managing the Flow of Corporate Communications Getting mailflow right Dave Stork Technical Consultant OGD ict-diensten QR: URL to Presentation

Who am I? Dave Stork Technical consultant @ OGD ict-diensten Based in The Netherlands (EU) Microsoft Office Apps and Services MVP Mail: dave.stork@ogd.nl Twitter: @dmstork Blog: https://dirteam.com/dave Interesting Facts: Science & Sci-Fi nut I co-wrote/tech reviewed books! www.practicalpowershell.com

Topics A short SMTP intro Filtering mail Securing mail transport Encrypting mail Spoofing and how to mitigate Q & A

A short SMTP intro

Definitions Banner EHLO/HELO EHLO Response MAIL FROM: RCPT TO: DATA Includes mail headers

SMTP delivery Message Headers Received: from dc10 (10.0.10.10) by mail.lab2010.com (10.0.10.20) with Microsoft SMTP Server id 14.3.301.0; Mon, 23 Apr 2018 11:00:19 +0200 From: <ditisnep@sppoooof.com> Subject: spoof test To: administrator@lab2010.com; Return-Path: bounce@bounce.contoso.com

Filtering mail

Filtering mail Some spam filtering concepts: Recipient filtering Tar pitting Reverse DNS Connection/content filtering...

Filtering mail Best practice: Use a cloud provider! Exchange Online Protection, MessageLabs, Etc. Why? They take care of most things faster than most admins It s an arms race; machine learning based on big data

Securing mail transport

SMTP TLS Transport Opportunistic TLS Best effort encryption: fallback to lower or unencrypted SMTP Certificate based EHLO response with server FQDN; i.e. mail.contoso.com Certificate name must be equal to EHLO Certificate does not have to be trusted

SMTP TLS Transport Mutual TLS / Domain Security Forced authentication & encryption: no fallback Certificate based Configured per mail domain (connectors for each domain) Trusted certificate with name corresponding with EHLO

SMTP TLS Transport DANE DNS-Based Authentication of Named Entities (DANE); RFC7672 Certificate based Ensures mail server target found in DNS is correct (and not spoofed via DNS cache poison etc) DNSSEC required Prevents downgrade attacks of SMTP TLS (for instance due to MitM attack) No Trusted Certificate required

SMTP TLS Transport What is SMTP Strict Transport Security? Uses DNS to check list of valid public keys of certificate: TXT record under _smtp_sts.contoso.com Checks certificate with list & Certificate Authority + Trust-on-First- Use Failure reporting & handling No DNSSEC required: little bit less secure as DANE Can we use it? Currently a protocol draft at the IETF: draft-margolis-smtp-sts-00

Encrypting mail

S/MIME User level signing or signing and encryption of individual mails Certificate based Sender & receiver require each others public key before encryption is possible Limited client compatibility Cumbersome configuration and required on each client Solutions that change content of mail will break S/MIME PGP has a comparable experience

Office 365 Message Encryption (OME) Sending encrypted mail messages Fully based on Rights Management Services/Information Protection Mail is encrypted and sent to external recipient Partner opens mail When on O365: auto decrypted When on other: hosted on O365 for viewing using OTP, other idp (Google, Yahoo, MSA). Lot of other solutions with similar experience (i.e. Egress, open source)

OME

OME

OME

OME

Spoofing and how to mitigate

What is spoofing? The creation of email messages with a forged sender address Organizational mitigations: SPF DKIM DMARC Results in Authenticated mail

SMTP delivery Message Headers Received: from dc10 (10.0.10.10) by mail.lab2010.com (10.0.10.20) with Microsoft SMTP Server id 14.3.301.0; Mon, 23 Apr 2018 11:00:19 +0200 RFC5322.From From: <ditisnep@sppoooof.com> Subject: spoof test To: administrator@lab2010.com; Return-Path: bounce@bounce.contoso.com RFC5321.From

What does SPF do? Sender Policy Framework Public list of servers that are allowed to mail for your domain Public as in: Public DNS TXT record Recipient servers can check AT CONNECTION whether incoming IP is on that allow list Based on domain from MAIL FROM or EHLO Recipient organization may choose to receive, quarantine or reject those mails

SPF Syntax Action + Pass (default, can be omitted) - Fail ~ Softfail? Neutral Match IP4 IP6 A MX INCLUDE ALL Ipv4 address or range Ipv6 address or range DNS A records for domain DNS MX records for domain Include spf of other domain Always matches (catch all).

SPF Syntax Example v=spf1 ip4:87.213.105.253 include:spf.protection.outlook.com include:servers.mcsv.net ~all (OGD.nl) v=spf1 mx a:www.tweedekamer.nl ip4:213.207.90.158 include:_spf.intermax.nl all (Tweede Kamer) v=spf1 all (aivd.nl) Max 10 DNS lookup, cumulative (include, MX etc. included) When Include fails; no negative effect Max string length of TXT record is 255 bytes

SPF Caveats You have to know every mail server that uses your domain Mailing services like MailChimp, SaaS Legitimate forwarding could be broken i.e. Mailinglists No protection to From: header spoofing (RFC5322.From) Subdomains require explicit SPF record

SPF Caveats: forwards EHLO contoso.com MAIL FROM: dave@contoso.com RCPT TO: group@fabrikam.com From: dave@contoso.com group@fabrikam.com EHLO fabrikam.com MAIL FROM: dave@contoso.com RCPT TO: willem@wingtoys.com From: dave@contoso.com dave@contoso.com willem@wingtoys.com Mitigation in Fabrikam could be Sender Rewriting Scheme bounces+srs=#as#=12000000=contoso.com=dave@fabrikam.com

What does DKIM do? DomainKeys Identified Mail Signs messages leaving the organization Private/Public Key construction Signed with Private Key Recipient organization verifies with Public Key Public Key information in public DNS record This way recipients know: Domain owner takes responsibility If message has been changed in transit

DKIM in DNS <selector>._domainkey.contoso.com TXT Includes public key CNAME Other record, for instance: selector1-contosocom._domainkey.contoso.onmicrosoft.com You can have multiple selectors either TXT or CNAME

DKIM Syntax

What does DMARC do? Domain-based Message Authentication, Reporting & Conformance Checks incoming mail based on RFC5322.From domain This is what users see in Display Name etc.. Includes results from SPF and DKIM checks Sender organization can suggest actions when SPF and/or DKIM fail Sender organization can receive reports Subdomains can have different policy from main domain

DMARC in DNS Txt record in the form of _dmarc.your_domain.com. Subdomain first checks subdomain dns, if not present on subdomain, uses organizational domain. @service.marketing.ogd.nl > _dmarc.service.marketing.ogd.nl If not existing > _dmarc.ogd.nl If no dns record is found, dmarc check is skipped.

Tag Short description Value Required?/default V Protocol version, for now its version 1 DMARC1 Required P Policy for organizational domain None, Quarantine, Reject Required SP Policy for subdomains of the organizational domain None, Quarantine, Reject Optional, if not explicitly defined SP is same as P PCT Percentage of messages subjected to filtering 0-100 Optional (default is 100) FO Reporting options 0,1,d,s Optional RUF For reporting of forensic reports Mail address Optional (Required if FO= is used) RUA For reporting of aggregate reports Mail address Optional ADKIM Alignment mode for DKIM (relaxed or strict) R, S Optional / Default is Relaxed ASPF Alignment mode for SPF (relaxed or strict) R, S Optional / Default is Relaxed

DMARC Syntax Example v=dmarc1; p=quarantine; ruf=mailto:dmarc_ruf@ogd.nl; rua=mailto:dmarc_rua@ogd.nl; fo=1 v=dmarc1; p=quarantine; rua=mailto:jxduktlu@ag.dmarcian.com; ruf=mailto:jxduktlu@fr.dmarcian.com; adkim=s; aspf=r; sp=reject; fo=1; pct=100

Putting SPF, DKIM and DMARC together Schematics provided by OGD ict diensten Client sends mail SPF check Extra filtering or delivery Server signs and sends the mail Internet Server receives mail deliver request DKIM check DMARC check DNS 1. Client sends a mail 2. Server signs with DKIM and sends the mail over the internet 3. Receiving server gets a connection request to accept mail 4. Starts with a SPF check 5. Simultaneously starts a DKIM check 6. Then starts with the DMARC check A. Checks DNS for DMARC policy B. Checks the results of the SPF (RFC5321.from) and DKIM (d=) with RFC5322.From C. Applies DMARC policy according to the DNS record 7. If everything passes (depending on policy) the mail gets delivered to the receiving client or is subjected to additional filtering

Example v=dmarc1; p=quarantine; ruf=mailto:dmarc_ruf@ogd.nl; rua=mailto:dmarc_rua@ogd.nl; fo=1

Best practices Protect all your domains, even if you don t mail from them. SPF: V=spf1 all DMARC: V=DMARC1;p=reject Protect your subdomains, even if you don t mail from them SPF: V=spf1 all DMARC: Add sp=reject on organization domain

Best practices Implement a process for changes to SPF, DKIM and DMARC Make sure every change goes through someone that knows how it works Do a regular check to see if SPF, DKIM and DMARC are still configured correctly Demand DKIM from mailing services (Mailchimp and the like) If not possible, consider using a subdomain for it; this way your domain can be kept strict Use at least 1024 bit strength (default in O365)

Best practices Make DMARC stricter after a test period. 1. P=none, sp=quarantine or reject 2. P=quarantine, sp=reject 3. P=reject Optional: Use pct to limit impact Warn users for mailinglists that do not use DKIM and/or do not use Sender Rewrite Scheme. Forwarding from Outlook or with a mail rule is no issue as the old mail is attached in new mail.

Not talked about: Alignment: DMARC Relaxed vs strict Relaxed = organizational domain must match (marketing.ogd.nl matches ogd.nl) Strict = FQDN must match (marketing.ogd.nl does not match ogd.nl) DKIM Alignment Make sure that mailing services sign DKIM with correct domain at d= Authenticated Received Chain (ARC) ARC preserves email authentication results across subsequent intermediaries

Questions?

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback