TLS SPF + DKIM + DMARCinno/pubs/towards-authenticated-email.pdf · Towards email authentication TLS...

2012/10/03 Roberto Innocente 1

Towards email authentication

TLSSPF + DKIM + DMARC


Who adopted it ?

● Hotmail.com● Gmail.com● AOL.com● Yahoo.com

● Verizon.com● Ebay● Paypal


Tls/SPF/DKIM/DMARC

Receivingmailer

SPFvalidation

DKIM validation

DMARCvalidation

ESMTPS=

ExtendedSMTPOverTLS


TLS(Transport Layer Security)

An encryption layer over TCP that all MTAs should support and when offered they should start

(STARTTLS mechanism on the std port 25)

● Disable SSL1 and SSL2 for security problems that were discovered , and support only TLSv1.2


Mail Transfer Protocols

Protocol Over tls

Authenticated AuthenticatedOver tls

Name

smtp smtps smtpa smtpsa Simple MTP

esmtp esmtps esmtpa esmtpsa Extended SMTP

lmtp lmtps lmtpa lmtpsa Light MTP

RFC3848 July 2004Shown in “Received: … with ... ” header lines e.g.Received: from charon-02.sissa.it (charon-02.sissa.it [147.122.1.105]) by smtp.sissa.it (Postfix) with ESMTP id BEAF9D08065


Check protocol used in Received: lines

Received: from mail-ob0-f169.google.com (mail-ob0-f169.google.com [209.85.214.169]) by mail.example.org (Postfix) with ESMTPS id 13F636C003 for <[email protected]>; Wed, 11 Mar 2012 11:34:18 +0100 (CET)

Received: from mail.example.org (mail.example.org [10.0.1.2]) by mail2.example.org with ESMTP id C9HImFdPfk4ogziO for <[email protected]>; Mon, 12 Mar 2012 11:34:23 +0100 (CET)

Received: from webmail.example.org (localhost.localdomain [127.0.0.1]) mail2.example.org (Postfix) with ESMTPA id AD79E54E50 for <[email protected]>; Mon, 12 Mar 2012 10:48:47 +0100 (CET)


SPF version 1

Spf = Sender Policy Framework

RFC-4408 April 2006

RFC-2821 layer / protects envelope sender address

The one that appears in the initial smtp exchange

HELO itsme.org

MAIL FROM: <..>

RCPT TO: <..>

DATA

SMTP Envelope


SMTP protocol – RFC-2821April 2001

dig mx gmail.com

;; QUESTION SECTION:

;gmail.com. IN MX

;; ANSWER SECTION:

gmail.com. 3599 IN MX 5 gmail-smtp-in.l.google.com.

telnet gmail-smtp-in.l.google.com smtp

220 mx.google.com ESMTP de8si19058389wib.80

EHLO sissa.it

250-mx.google.com at your service, [10.0.1.2]

250-SIZE 35882577

250-8BITMIME

250-STARTTLS

250-ENHANCEDSTATUSCODES

250-PIPELINING

250-CHUNKING

250 SMTPUTF8

MAIL FROM: <[email protected]>

250 2.1.0 OK jo3si35141161wjc.166 - gsmtp

RCPT TO: <[email protected]>

250 2.1.5 OK jo3si35141161wjc.166 - gsmtp

DATA

354 Go ahead jo3si35141161wjc.166 - gsmtp

From: [email protected]

To: [email protected]

Subject: check

Checking address

2 times

.

Envelope Header Body


Envelope/Header


Identities in email

Envelope identities :● Helo/ehlo identity in envelope● Mail from: identity in envelope● Rcpt to: identity in envelope

Headers identities :● From: identity in header● To: identity in header


Mail RFCs

● RFC2821 April 2001 Simple Mail Transfer Protocol (SMTP) – obsoletes RFC821 (Draft std RFC5321)

● RFC2822 April 2001 Internet Message Format (IMF) – obsoletes RFC822 (Draft std RFC5322)


Sender addresses

● Envelope sender – RFC2821 In HELO and MAIL FROM: smtp lines, usually stored in Return-Path: header, used to send back errors, usually not displayed by MUA (mail user agents)

● Header sender – RFC2822 In the From: or Sender: mail headers , displayed by MUA, usually not cared by MTA


What does SPF ?

A kind of reverse MX ...

Allows the owner of a domain to specify which mail servers are allowed to send mail on behalf of the domain.

The domain owner publish a record in DNS specifying which mail servers are authorized to send mail for his domain.

When a mail server receives a message claiming to be from that domain, it looks up the spf record for that domain and it checks if it came trough one of the allowed mail servers.


Proposed SPF for SISSA

sissa.it. 300 IN TXT “v=spf1 redirect=_spf.sissa.it”

_spf.sissa.it. 300 IN TXT “v=spf1 include=_netblock.sissa.it include=_netblock1.sissa.it”

_netblock.sissa.it. 300 IN TXT “v=spf1 ...

_netblock1.sissa.it 300 IN TXT “v=spf1 ...


SPF results

● none = no record published for SPF● neutral = sender domain does’nt want to state (?) ● pass = client is allowed to inject mail for the

domain(+)● fail = client is explicitly forbidden to inject mail for

the domain(-)● softfail = between pass and fail(~), often the

receiver quarantines


SPF check headers

Received-SPF: pass (google.com: domain of [email protected] designates 147.122.1.105 as permitted sender) client-ip=147.122.1.105;

Authentication-Results: mx.google.com; spf=pass (google.com: domain of [email protected] designates 147.122.1.105 as permitted sender) [email protected]

Received-SPF: pass (domain of gmail.com designates 209.85.214.176 as permitted sender)

Authentication-Results: mta1071.mail.ir2.yahoo.com from=gmail.com; domainkeys=neutral (no sig); from=gmail.com; dkim=pass (ok)

Received-SPF: none (google.com: [email protected] does not designate permitted sender hosts) client-ip=98.138.121.67;

Authentication-Results: mx.google.com; spf=none (google.com: [email protected] does not designate permitted sender hosts) [email protected];

Received-SPF: pass (domain of hotmail.com designates 157.55.1.161 as permitted sender)

mailto:smtp.mail%[email protected]

mailto:smtp.mail%[email protected]


SPF algorithm

● Lookup envelope domain spf record :● dig txt sissa.it

– sissa.it TXT “v=spf1 ip4:147.122.1/24 ip6:..... ~mx -all”

● For each mechanism listed look if it matches:● Is the client in ip4:147.122.1/24 ? Then pass (the default

is pass) and exit.● Is the client in ip6:..... ? Then pass and exit.● Is the client in one mx record ? Then softfail and exit.● All is matched by everyhting : reject it and exit.


SPF (example record)

$ dig txt unipd.it

unipd.it. 259200 IN TXT "v=spf1 ip4:147.162.10.68 ip4:147.162.10.81 ip4:147.162.10.82 ip4:147.162.10.83 a:mail.unipd.it ?all"

● Is it ip4:147.162.10.68? pass

● Is it ip4:147.162.10.81? pass

● Is it ip4:147.162.10.82 ? Pass

● Is it ip4:147.162.10.83 ? Pass

● Is it in address of mail.unipd.it. IN A 147.162.10.68 ? pass

● Then it is in all : Neutral Terribly wrong !


SPF versus Sender/ID

● Sender-ID (RFC-4406) Is Microsoft version of spf

● It validates the header sender address● Very few use it now● Problem is that Microsoft is using now spfv1

syntax and dont want to fix !!● And so it violates the spf specification !!!!


DKIM

● Domainkeys was first introduced by yahoo in a private agreement with paypal and ebay, then since 2007 a draft RFC

● DKIM took the main concepts from the yahoo proposal, incorporated some cisco ideas and appeared as an RFC in the same year, last version is RFC6376 Sep 2011


DKIM key rotationbest practice/1

● It's quite clear why keys should be rotated : to avoid that they are :

- compromised by cracking them

- stolen

● DKIM allows a receiver to verify that the signed parts of a message has not been modified in transit



● In 2012 a mathematician published on Wired that it took him 72 hours and 70 $ of Amazon WS to crack a 512 bits DKIM key

● 768 bit keys can be cracked by a nation effort for instance

● 1024 bits is the current recommended length● 2048 is now considered immune from possible

cracks from today computing environment



Generate 2 pairsof DKIM keys

public keys1 and 2in DNS

Sign emailswith private key 1

Generate key pair3

public key 3in DNS

Sign emails withprivate key 2

Generate key pairn

public key nin DNS

Sign emails withprivate key (n-1)

Start here

After 3 months

3 months later

n=n+1

n=4

Retirepublic key (n-3)


DKIM keys generation

● It's possible simply to use openssl to generate the keys● But opendkim makes it simpler :

$ opendkim-genkey --append-domain --selector=20120316 --domain=sissa.it --bits=1024 --verbose

opendkim-genkey: generating private key

opendkim-genkey: private key written to 20120316.private

opendkim-genkey: extracting public key

opendkim-genkey: DNS TXT record written to 20120316.txt

$ cat 20120316.txt

20120316._domainkey.sissa.it. IN TXT ( "v=DKIM1; k=rsa; " "p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDHy9jQ+5ZIN0p3KEw9NQ6PQOnMTXLZGQxwtfVWjQlJO/BYjIktlrYx2ZbwnN3kl2Ely5cPdMWr5mhlM7UwyP74NDHV4DjigE7KIJ0sF2F4rJIMgVPQQu/Vz078zsZFldaci6WgHeByJtdDEM0L7iSeQhGd5hHbmHM5Oyv2YcT9cwIDAQAB" ) ; ----- DKIM key 20120316 for sissa.it

$ cat 20120316.private

-----BEGIN RSA PRIVATE KEY-----

MIICXQIBAAKBgQDHy9jQ+5ZIN0p3KEw9NQ6PQOnMTXLZGQxwtfVWjQlJO/BYjIkt-----END RSA PRIVATE KEY-----

lrYx2ZbwnN3kl2Ely5cPdMWr5mhlM7UwyP74NDHV4DjigE7KIJ0sF2F4rJIMgVPQ

….


DKIM testing keys

● Add public key TXT record to DNS, thenopendkim-testkey -d example.org -s 20121001 -k 2012101.private

Will test that the 2 are a correct pair of keys.


DKIM configuration

● Set signature expiration ?● Which canonicalization ?

● relaxed = tolerates minor changes like space changes and so on

● simple = strict● Select a rendez-vous socket


DKIM/etc/opendkim.conf

AlwaysSignHeaders Subject

AutoRestart True

Background True

Canonicalization relaxed/relaxed

Diagnostics Yes

Domain sissa.it

KeyFile /etc/mail/dkim/20130315.pem

InternalHosts /etc/mail/dkim/internal

LogWhy true

Mode sv

Selector 20121001

SignatureAlgorithm rsa-sha1024

Socket I inet:8891@localhost

Syslog Yes

Statistics /var/log/dkim-filter/dkim-statistics

ClockDrift 300

DiagnosticDirectory /var/log/dkim/dkim-diagnostics

DNSTimeout 10

● This conf is for signing a single domain with one key

● It is supported to sign multiple domains with multiple keys

● Mode sv = signer and verifier


DKIM postfix conf

Add to /etc/postfix/main.cf :

# DKIM

milter_default_action = accept

milter_protocol = 2

smtpd_milters = inet:localhost:8891

non_smtpd_milters = inet:localhost:8891

If you are using already some milter :

milter_default_action = accept

milter_protocol = 2

smtpd_milters = inet:localhost:8891,inet:localhost:8893

non_smtpd_milters = inet:localhost:8891,inet:localhost:8893


/etc/default/opendkim


DMARC

● DMARC =● Domain-based● Message● Authentication,● Reporting and● Conformance

=Using DNS TXT records

=SPF + DKIM

=Reports are sent back to sending mailer

First used between paypal and yahoo in pre-standard form in 2007,From 2009 offered by ISPs, draft in 2012, rfc in beginning 2013


DMARC● Aligned/unaligned mail : DMARC tests

and enforces identifiers alignment

1)Check spf and DKIM2)DMARC identifiers alignment3)Acts on unaligned identifiers

Aligned email Unaligned email

MailStorage

Internet

Aggregate log

Aggregate reports

Failure reports


DMARC identifier alignment

One of the 2 authenticated originator(SPF/DKIM) identifiers has to match the (MUA displayed) header ”From:” domain.

We have 2 kind of alignement : strict(=simple) and relaxed.

Simple means the 2 domains should match exactly (except for spaces).

Relaxed :

- relaxed SPF : the organizational domain of the smtp “MAIL FROM:” should match the header “From:” organizational domain (see later)

- relaxed DKIM : the organizational domain of the “d=” DKIM domain should matche the organizational domain of the header “From:”

NB. if the SPF check was not passed the SPF is considered of course unaligned a priori


DMARC organizational domain

A domain under which any can subscribe :

1 atom +TLD(top level domain)

E.g. :

news.google.com → google.com

www.amazon.co.uk → amazon.co.uk

www.regione.campania.it → regione.campania.it

It uses http://www.publicsuffix.org for TLDs

http://www.publicsuffix.org/


Return-Path: <[email protected]>

Delivered-To: [email protected]

Received: from charon-02.sissa.it (charon-02.sissa.it [147.122.1.105])

by smtp.sissa.it (Postfix) with ESMTP id BEAF9D08065

for <[email protected]>; Mon, 12 Mar 2012 11:34:23 +0100 (CET)

Received: from hermes-02.sissa.it (hermes-02.sissa.it [147.122.1.102])

by charon-02.sissa.it with ESMTP id C9HImFdPfk4ogziO for <[email protected]>;

Mon, 12 Mar 2012 11:34:23 +0100 (CET)

Received: from mail-ob0-f169.google.com (mail-ob0-f169.google.com [209.85.214.169])

by hermes-02.sissa.it (Postfix) with ESMTPS id F3F636C003


Received: by obcva8 with SMTP id va8so7836910obc.8

for <[email protected]>; Mon, 12 Mar 2012 03:34:17 -0700 (PDT)

DMARC strict alignementDKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;

d=gmail.com; s=20120113;

h=mime-version:date:message-id:subject:from:to:content-type;

bh=1HsA0bCF354+0pj/N8P9EvjDk+8XAXJZBZOa7CLpBZc=;

b=feCQAtWRiaarWlH3KAUivMzje4bRw2RUOuuxaWXO8wj+wEC7nGkanNNq9XaeYxgMvM

3BpuPh8jYO/pS2AIqkIKtNjgV2DhQ6ku8hwp56GYajs4O8twyLgKNwnu1BydHGYjL3zx

EvMYbhZvTItSqndCEt9gFGO2V7vdsQK/7sEVIaTc+cytQCfhUbNQ2U9iuVO5iDHYpBLF

/EqMwfV1ECV0Jh/JdBhB0ZFZAL2q5ObxNiFLQOM47yVsQzIE5lyShDDMlgULsiv86UR5

uOZx6ZZ68iwQttYMoY85w2LwQImuRXiuV6daKaR7XQ110bCNCmHI1Al4OooCrVxUbz9i

6Lyg==

MIME-Version: 1.0DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;


h=mim

Received: by 10.202.226.136 with HTTP; Mon, 12 Mar 2012 03:34:17 -0700 (PDT)

Date: Mon, 12 Mar 2012 11:34:17 +0100

Message-ID: <CAPhLB8ZUFcYRshzme4T55Km8cQ3O36m8FxDYK7xKyOXEw3ZfUw@mail.gmail.com>

Subject: check tls

From: Roberto Innocente <[email protected]>


Content-Type: multipart/alternative; boundary=001a11c2e558341654051100cf4a

SPF alignment : (=strict)

mail from: domain gmail.com with from: domain gmail.com

DKIM alignment : (=strict)

DKIM d= domain gmail.com with from: domain gmail.com


Return-Path: <[email protected]>

Delivered-To: [email protected]

Received: from charon-02.sissa.it (charon-02.sissa.it [147.122.1.105])

by smtp.sissa.it (Postfix) with ESMTP id BEAF9D08065


Received: from hermes-02.sissa.it (hermes-02.sissa.it [147.122.1.102])

by charon-02.sissa.it with ESMTP id C9HImFdPfk4ogziO for <[email protected]>;

Mon, 12 Mar 2012 11:34:23 +0100 (CET)

Received: from mail-ob0-f169.google.com (mail-ob0-f169.google.com [209.85.214.169])

by hermes-02.sissa.it (Postfix) with ESMTPS id F3F636C003


Received: by obcva8 with SMTP id va8so7836910obc.8

for <[email protected]>; Mon, 12 Mar 2012 03:34:17 -0700 (PDT)

DMARC relaxed alignementDKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;

d=bounce.gmail.com; s=20120113;

h=mime-version:date:message-id:subject:from:to:content-type;

bh=1HsA0bCF354+0pj/N8P9EvjDk+8XAXJZBZOa7CLpBZc=;

b=feCQAtWRiaarWlH3KAUivMzje4bRw2RUOuuxaWXO8wj+wEC7nGkanNNq9XaeYxgMvM

3BpuPh8jYO/pS2AIqkIKtNjgV2DhQ6ku8hwp56GYajs4O8twyLgKNwnu1BydHGYjL3zx

EvMYbhZvTItSqndCEt9gFGO2V7vdsQK/7sEVIaTc+cytQCfhUbNQ2U9iuVO5iDHYpBLF

/EqMwfV1ECV0Jh/JdBhB0ZFZAL2q5ObxNiFLQOM47yVsQzIE5lyShDDMlgULsiv86UR5

uOZx6ZZ68iwQttYMoY85w2LwQImuRXiuV6daKaR7XQ110bCNCmHI1Al4OooCrVxUbz9i

6Lyg==

MIME-Version: 1.0DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;


h=mim

Received: by 10.202.226.136 with HTTP; Mon, 12 Mar 2012 03:34:17 -0700 (PDT)

Date: Mon, 12 Mar 2012 11:34:17 +0100

Message-ID: <CAPhLB8ZUFcYRshzme4T55Km8cQ3O36m8FxDYK7xKyOXEw3ZfUw@mail.gmail.com>

Subject: check tls

From: Roberto Innocente <[email protected]>


Content-Type: multipart/alternative; boundary=001a11c2e558341654051100cf4aSPF alignment : (=relaxed)

mail from: organizational domain gmail.com with from: organizational domain gmail.com

DKIM alignment : (=relaxed)

DKIM d= organizational domain gmail.com with from: organizational domain gmail.com


DMARC policies

● Reject (not delivered at all) : p=reject● Quarantine (msg not deliverd to inbox) : p=quarantine● None (msg disposition is unchanged) : p=none

Percentage of mails not passing dmarc validation that are let to fall on more permissive policy is specified by :

p=reject ; pct=40; 60% of the emails not passing

dmarc are just

quarantined and not rejected


DMARC attr/val pairsattribute description use

v= version v=DMARC1

p= policy p=none,p=quarantine,p=reject

adkim= alignment mode for DKIM adkim=s,adkim=r

aspf= alignment mode for SPF aspf=s,aspf=r

rua= Report aggregates rua=mailto:[email protected]

ruf= Report failures ruf=mailto:[email protected]

sp= Policies for subdomains

rf= Reporting format

pct= Percentage of msgs subject to policy

pct=100,pct=10


DMARC reports

● There are two kinds :● Aggregate reports (usually transmitted daily by

correspondent mailers)– rua=mailto:[email protected]

● Failure reports transmitted for each failed message validation– ruf:mailto:[email protected]

● ruf can create a lot of traffic and should be enabled only after having studied the aggregate reports and the causes of failures

mailto:[email protected]



DMARC first record and onFirst toe in water :

v=DMARC1; p=none; rua=mailto:[email protected]

v=DMARC1; p=quarantine; pct=10;

rua=mailto:[email protected];ruf=mailto:[email protected];

v=DMARC1; p=reject; pct=100; rua=mailto:[email protected];ruf=mailto:[email protected];





DMARC results

Received-SPF: none (google.com: [email protected] does not designate permitted sender hosts) client-ip=98.138.121.67;

Authentication-Results: mx.google.com;

spf=none (google.com: [email protected] does not designate permitted sender hosts) [email protected];

dkim=pass [email protected];

dmarc=pass (p=NONE dis=NONE) header.from=yahoo.it

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.it; s=s2048; t=1426751596; bh=HWE0CuHc4MJcLSExRAPaY+xm5EglHD1ogTn8WNJKfQs=; h=Date:From:Reply-To:To:In-Reply-To:References:Subject:From:Subject; b=blILetG7T71DYiqE8LQQJqAG1+CyaDwki5XQrKcZHvVjUPrnq22R3fwbnlSWVwwMbBIOMUYJTmGOl5yOktsdh3VbE+U1WwG6Rlt1I2vUlPRDrNcHQx/siJL7M0jY299WG2BSDUj+S7B2yJL9spkI+VDMZyKeMQeChhDlKbH5xtYOweBrzsu3t54HcfYvDWR/mhPLmZdBpYLItdazgq6ynW6S+Ik+a49MJU5wiGfI6J68haFoh4MsERWmJIPn0D6Fv4s5/1MMgUFdwHRf2HoK29tLZl+9pe/N2NhmwQjIY6j8jFvWiNEvfXcy9P9G+n/Fej3rOQJ06taBJA6oovTPIg==

TLS SPF + DKIM + DMARCinno/pubs/towards-authenticated-email.pdf · Towards email authentication TLS...

Documents

Transcript of TLS SPF + DKIM + DMARCinno/pubs/towards-authenticated-email.pdf · Towards email authentication TLS...