際際滷

際際滷Share a Scribd company logo

Analysis of SMTP TLS Implementations - BtCIRT National Cybersecurity Conference 2024

APNIC
APNIC

APNIC Senior Internet Security Specialist Jamie Gillespie delivered a presentation titled 'Analysis of SMTP TLS Implementations' at the National Cybersecurity Conference 2024 held in Thimphu, Bhutan on 25 October 2024.

1 of 21
Download to read offline
1 Analysis of SMTP TLS Implementations BtCIRT Conference 25 Oct 2024 Jamie Gillespie, Senior Internet Security Specialist, APNIC
Overview Importance of SMTP security Overview of SMTP security options Methodology Analysis of SMTP TLS security Recommendations 2
Importance of SMTP security Email is integral to our work and personal lives Whats in your Inbox and Sent Mail folders? PII, credit cards, health data, passwords, OTP codes, login links 3
Importance of SMTP security Blog posts How to send sensitive information via email User perception Im connected to Gmail.com using HTTPS so my email is secure Technical visibility CEOs asking why SSL Labs doesnt give your web site an SMTP server-to-server communication is hidden from users Where is the padlock for email? Where is the mailtos: URI like https: ? 4
Importance of SMTP security SMTP server-to-server communication uses STARTTLS Communication starts unencrypted, and if both parties agree then the connection is upgraded This is usually optional, and opens the door to Man-in-the-Middle attacks DNS Cache Poisoning BGP Hijacking How would you feel going to https://www.your-bank.com.au and the connection silently defaulting to unencrypted? 5
Overview of SMTP security options DANE (DNS-Based Authentication of Named Entities) DANE associates a TLS certificate with a server, using DNS, and optionally without the need for a CA (i.e. self-signed certs) Stores certificate fingerprints in DNS TLSA resource records Requires DNSSEC to work properly Existence of a TLSA record signals TLS (STARTTLS) is to be used 6
Overview of SMTP security options MTA-STS (Mail Transfer Agent Strict Transport Security) MTA-STS enables mail service providers to declare their ability to use TLS, and if TLS is required (enforced) This is the SMTP equivalent to HSTS for HTTPS Different to DANE: In addition to a DNS record, DANE publishes the policy on an HTTPS server Requires TLSv1.2 Certificated must be signed by a trusted root CA Should use DNSSEC for maximum security, but is not mandatory 7
Overview of SMTP security options DKIM (DomainKeys Identified Mail) DKIM provides a method for detecting forged/spoofed addresses When an email is sent, it is signed using a private key and then validated on the receiving server using a public key in a DNS record Should use DNSSEC for maximum security, but is not mandatory This can help to prevent email spoofing and phishing attacks, but doesnt help with server-to-server communication 8
Overview of SMTP security options SPF (Sender Policy Framework) SPF is a simple email validation system, designed to prevent spoofing It works by verifying that incoming mail comes from a server authorized by that domain's administrator The list of authorized sending hosts for a domain is published in DNS TXT records Should use DNSSEC for maximum security, but is not mandatory This also helps to prevent email spoofing and phishing attacks, but doesnt help with server-to-server communication 9
Overview of SMTP security options DMARC (Domain-based Message Authentication, Reporting & Conformance) DMARC is an email validation system designed to detect and prevent email spoofing It extends SPF and DKIM to specify how to check the From: address, how to handle failures, and a reporting mechanism This also helps to prevent email spoofing and phishing attacks, but doesnt help with server-to-server communication 10
Methodology I wrote some Python code to: Take a list of domains and query their MX records Deduplicate MX servers, so I only touch a server once Query DNS for records relating to MTA-STS, get the MTA-STS policy from the web server, and compare MX records against the policy Query DNS for TLSA, DMARC, and SPF records (recursively) Writing it all out to a series of files for further processing/analysis 11
Methodology Used testssl.sh (https://testssl.sh/) to check all MX servers for TLS cipher suites and common vulnerabilities testssl.sh provides output to CSV and JSON Similar tests and console output to Qualys SSL Labs Also used sslscan (https://github.com/rbsec/sslscan) to validate some results grep, Excel, and a custom script for diffs also came in handy 12
Analysis of SMTP TLS security Bhutan Government and Businesses 18 domains chosen Most are hosting mail servers with Google of other hosting: druknet.bt, barracudanetworks.com MX records are almost all done correctly SPF is almost universally deployed DMARC is mostly deployed MTA-STS and DANE not commonly deployed, but 13
Analysis of SMTP TLS security Asia-Pacific Research and Education Networks 18 domains chosen Most are self-hosting mail servers or using parent university mail servers of external hosting: outlook.com (4), google.com (3) 1 domain had 1 of their 3 SMTP servers unreachable 1 domain had a single MX record, but that host resolves to 17 IP addresses, 6 of which were unreachable 14
Analysis of SMTP TLS security Asia-Pacific Research and Education Networks SPF split between softfail than fail 1 SPF record doesnt specify an action, so defaults to pass DMARC 9 domains with no DMARC policy 4 domains with a DMARC policy set to none Although one of these had a broken record with an extra space, p= none vs p=none 3 domains with a DMARC policy set to quarantine 2 domains with a DMARC policy set to reject 6 of 9 domains with DMARC policies have reporting to email configured No domains have MTA-STS configured No domains have TLSA records for DANE 15
Analysis of SMTP TLS security Asia-Pacific Research and Education Networks 3 domains dont even support STARTTLS 9 domains (that support STARTTLS) still support TLSv1.0 1 domain had a certificate with 20 year expiry (2011-2031) 1 domain uses self-signed certificates 1 domain had expired certificates 16
Analysis of SMTP TLS security Top International Email Providers 17 domains gmail.com outlook.com aol.com protonmail.com zoho.com gmx.com icloud.com yahoo.com mail2world.com tutanota.com bbitj.com juno.com mail.com yandex.com hubspot.com mail.ru fastmail.com All are running their own mail servers (no surprise there) SPF 1 domain is missing an SPF record 2 domains have ?all which is almost the same as not having an SPF record at all the rest is split between fail and softfail 17
Analysis of SMTP TLS security Top International Email Providers DMARC 2 domains with no DMARC policy 7 domains with a DMARC policy set to none Some of these could relate to different domains for staff and customers, e.g. google.com has a reject policy, but gmail.com is set to none 3 domains with a DMARC policy set to quarantine 5 domains with a DMARC policy set to reject 8 domains have MTA-STS configured (!!) 4 domains have TLSA records for DANE 18
Recommendations Test your own servers, and your critical vendors/partners testssl.sh (tool) sslscan (tool) internet.nl (website) Check for DNSSEC signing on your/any domain Linux: delv apnic.net First line will say "fully validated if signed, or "unsigned answer if not signed Linux: dig +dnssec apnic.net Look for "flags: ad" for "Authentic Data" and "EDNS: flags: do" for "DNSSEC OK" Windows (PowerShell): Resolve-DnsName apnic.net -dnssecok 19
Recommendations SPF, DKIM, and DMARC are great for stopping phishing and impersonation attacks Setup DANE if you already have DNSSEC Setup MTA-STS if you dont 20
Questions & Discussion 21

More Related Content

Analysis of SMTP TLS Implementations - BtCIRT National Cybersecurity Conference 2024

  • 1. 1 Analysis of SMTP TLS Implementations BtCIRT Conference 25 Oct 2024 Jamie Gillespie, Senior Internet Security Specialist, APNIC
  • 2. Overview Importance of SMTP security Overview of SMTP security options Methodology Analysis of SMTP TLS security Recommendations 2
  • 3. Importance of SMTP security Email is integral to our work and personal lives Whats in your Inbox and Sent Mail folders? PII, credit cards, health data, passwords, OTP codes, login links 3
  • 4. Importance of SMTP security Blog posts How to send sensitive information via email User perception Im connected to Gmail.com using HTTPS so my email is secure Technical visibility CEOs asking why SSL Labs doesnt give your web site an SMTP server-to-server communication is hidden from users Where is the padlock for email? Where is the mailtos: URI like https: ? 4
  • 5. Importance of SMTP security SMTP server-to-server communication uses STARTTLS Communication starts unencrypted, and if both parties agree then the connection is upgraded This is usually optional, and opens the door to Man-in-the-Middle attacks DNS Cache Poisoning BGP Hijacking How would you feel going to https://www.your-bank.com.au and the connection silently defaulting to unencrypted? 5
  • 6. Overview of SMTP security options DANE (DNS-Based Authentication of Named Entities) DANE associates a TLS certificate with a server, using DNS, and optionally without the need for a CA (i.e. self-signed certs) Stores certificate fingerprints in DNS TLSA resource records Requires DNSSEC to work properly Existence of a TLSA record signals TLS (STARTTLS) is to be used 6
  • 7. Overview of SMTP security options MTA-STS (Mail Transfer Agent Strict Transport Security) MTA-STS enables mail service providers to declare their ability to use TLS, and if TLS is required (enforced) This is the SMTP equivalent to HSTS for HTTPS Different to DANE: In addition to a DNS record, DANE publishes the policy on an HTTPS server Requires TLSv1.2 Certificated must be signed by a trusted root CA Should use DNSSEC for maximum security, but is not mandatory 7
  • 8. Overview of SMTP security options DKIM (DomainKeys Identified Mail) DKIM provides a method for detecting forged/spoofed addresses When an email is sent, it is signed using a private key and then validated on the receiving server using a public key in a DNS record Should use DNSSEC for maximum security, but is not mandatory This can help to prevent email spoofing and phishing attacks, but doesnt help with server-to-server communication 8
  • 9. Overview of SMTP security options SPF (Sender Policy Framework) SPF is a simple email validation system, designed to prevent spoofing It works by verifying that incoming mail comes from a server authorized by that domain's administrator The list of authorized sending hosts for a domain is published in DNS TXT records Should use DNSSEC for maximum security, but is not mandatory This also helps to prevent email spoofing and phishing attacks, but doesnt help with server-to-server communication 9
  • 10. Overview of SMTP security options DMARC (Domain-based Message Authentication, Reporting & Conformance) DMARC is an email validation system designed to detect and prevent email spoofing It extends SPF and DKIM to specify how to check the From: address, how to handle failures, and a reporting mechanism This also helps to prevent email spoofing and phishing attacks, but doesnt help with server-to-server communication 10
  • 11. Methodology I wrote some Python code to: Take a list of domains and query their MX records Deduplicate MX servers, so I only touch a server once Query DNS for records relating to MTA-STS, get the MTA-STS policy from the web server, and compare MX records against the policy Query DNS for TLSA, DMARC, and SPF records (recursively) Writing it all out to a series of files for further processing/analysis 11
  • 12. Methodology Used testssl.sh (https://testssl.sh/) to check all MX servers for TLS cipher suites and common vulnerabilities testssl.sh provides output to CSV and JSON Similar tests and console output to Qualys SSL Labs Also used sslscan (https://github.com/rbsec/sslscan) to validate some results grep, Excel, and a custom script for diffs also came in handy 12
  • 13. Analysis of SMTP TLS security Bhutan Government and Businesses 18 domains chosen Most are hosting mail servers with Google of other hosting: druknet.bt, barracudanetworks.com MX records are almost all done correctly SPF is almost universally deployed DMARC is mostly deployed MTA-STS and DANE not commonly deployed, but 13
  • 14. Analysis of SMTP TLS security Asia-Pacific Research and Education Networks 18 domains chosen Most are self-hosting mail servers or using parent university mail servers of external hosting: outlook.com (4), google.com (3) 1 domain had 1 of their 3 SMTP servers unreachable 1 domain had a single MX record, but that host resolves to 17 IP addresses, 6 of which were unreachable 14
  • 15. Analysis of SMTP TLS security Asia-Pacific Research and Education Networks SPF split between softfail than fail 1 SPF record doesnt specify an action, so defaults to pass DMARC 9 domains with no DMARC policy 4 domains with a DMARC policy set to none Although one of these had a broken record with an extra space, p= none vs p=none 3 domains with a DMARC policy set to quarantine 2 domains with a DMARC policy set to reject 6 of 9 domains with DMARC policies have reporting to email configured No domains have MTA-STS configured No domains have TLSA records for DANE 15
  • 16. Analysis of SMTP TLS security Asia-Pacific Research and Education Networks 3 domains dont even support STARTTLS 9 domains (that support STARTTLS) still support TLSv1.0 1 domain had a certificate with 20 year expiry (2011-2031) 1 domain uses self-signed certificates 1 domain had expired certificates 16
  • 17. Analysis of SMTP TLS security Top International Email Providers 17 domains gmail.com outlook.com aol.com protonmail.com zoho.com gmx.com icloud.com yahoo.com mail2world.com tutanota.com bbitj.com juno.com mail.com yandex.com hubspot.com mail.ru fastmail.com All are running their own mail servers (no surprise there) SPF 1 domain is missing an SPF record 2 domains have ?all which is almost the same as not having an SPF record at all the rest is split between fail and softfail 17
  • 18. Analysis of SMTP TLS security Top International Email Providers DMARC 2 domains with no DMARC policy 7 domains with a DMARC policy set to none Some of these could relate to different domains for staff and customers, e.g. google.com has a reject policy, but gmail.com is set to none 3 domains with a DMARC policy set to quarantine 5 domains with a DMARC policy set to reject 8 domains have MTA-STS configured (!!) 4 domains have TLSA records for DANE 18
  • 19. Recommendations Test your own servers, and your critical vendors/partners testssl.sh (tool) sslscan (tool) internet.nl (website) Check for DNSSEC signing on your/any domain Linux: delv apnic.net First line will say "fully validated if signed, or "unsigned answer if not signed Linux: dig +dnssec apnic.net Look for "flags: ad" for "Authentic Data" and "EDNS: flags: do" for "DNSSEC OK" Windows (PowerShell): Resolve-DnsName apnic.net -dnssecok 19
  • 20. Recommendations SPF, DKIM, and DMARC are great for stopping phishing and impersonation attacks Setup DANE if you already have DNSSEC Setup MTA-STS if you dont 20