Presentation is loading. Please wait.

Presentation is loading. Please wait.

SIMPLE MAIL TRANSFER PROTOCOL SECURITY Guided By Prof : Richard Sinn Bhavesh Jadav Mayur Mulani.

Published byKenneth McKenzie Modified over 9 years ago

Similar presentations

Presentation on theme: "SIMPLE MAIL TRANSFER PROTOCOL SECURITY Guided By Prof : Richard Sinn Bhavesh Jadav Mayur Mulani."— Presentation transcript:

1 SIMPLE MAIL TRANSFER PROTOCOL SECURITY Guided By Prof : Richard Sinn Bhavesh Jadav Mayur Mulani

2 Introduction Simple Mail Transfer Protocol is the standard e-mail protocol on the Internet and part of the TCP/IP protocol suite. SMTP defines the message format and the message transfer agent (MTA), which stores and forwards the mail. SMTP was originally designed for only plain text (ASCII text), but MIME and other encoding methods enable executable programs and multimedia files to be attached to and transported with the e-mail message. SMTP is a relatively simple, text-based protocol, where one or more recipients of a message are specified and then the message text is transferred. SMTP uses TCP port 25.

3 Purpose The primary purpose of SMTP is to transfer email between mail servers. However, it is critical for email clients as well. In order to send email, the client sends the message to an outgoing mail server, which in turn contacts the destination mail server for delivery. For this reason, it is necessary to specify an SMTP server when configuring an email client. One important point to make about the SMTP protocol is that it does not require authentication. This allows anyone on the Internet to send email to anyone else or even to large groups of people. It is this characteristic of SMTP that makes junk email or spam possible.

4 Basic Architecture

5 SMTP Model

6 Operation When an SMTP client has a message to transmit, it establishes a two- way transmission channel to an SMTP server. The responsibility of an SMTP client is to transfer mail messages to one or more SMTP servers. Once the transmission channel is established and initial handshaking completed, the SMTP client normally initiates a mail transaction. Such a transaction consists of a series of commands to specify the originator and destination of the mail and transmission of the message content (including any headers or other structure) itself.

7 Operation (contd..) The server responds to each command with a reply; replies may indicate that the command was accepted, that additional commands are expected, or that a temporary or permanent error condition exists. Once a given mail message has been transmitted, the client may either request that the connection be shut down or may initiate other mail transactions.

8 Basic Commands SMTP defines a small required command set, with several optional commands included for convenience purposes. The minimal set required for an SMTP sending client are: HELO - Initial State Identification MAIL- Mail Sender Reverse Path RCPT - One Recipient’s Forward Path DATA - Mail Message Text State RSET - Abort Transaction and Reset all buffers NOOP - No Operation QUIT- Commit Message and Close Channel

9 SMTP PROCEDURE There are three steps in SMTP mail transactions. The transaction is started with a MAIL command which gives the sender identification. If accepted the receiver-SMTP returns a 250 OK reply. A series of one or more RCPT commands follows giving the receiver information. If accepted, the receiver-SMTP returns a 250 OK reply, and stores the forward-path. If the recipient is unknown the receiver-SMTP returns a 550 Failure reply. Then a DATA command gives the mail data. If accepted, the receiver-SMTP returns a 354 Intermediate reply and considers all succeeding lines to be the message text. And finally, the end of mail data indicator confirms the transaction. When the end of text is received and stored the SMTP-receiver sends a 250 OK reply.

10 Example of SMTP Procedure This SMTP example shows mail sent by Smith at host Alpha.ARPA, to Jones, Green, and Brown at host Beta.ARPA. S: MAIL FROM:Smith@Alpha.ARPASmith@Alpha.ARPA R: 250 OK S: RCPT TO:Jones@Beta.ARPAJones@Beta.ARPA R: 250 OK S: RCPT TO:Green@Beta.ARPAGreen@Beta.ARPA R: 550 No such user here S: RCPT TO:Brown@Beta.ARPABrown@Beta.ARPA R: 250 OK S: DATA R: 354 Start mail input; end with. S: Blah blah blah... S:...etc. etc. etc. S:. R: 250 OK

11 SMTP Security Internal Mail Server – Plain Text Message – Actual Time Delivery Mail Access – POP/IMAP – HTTPS

12 SMTP Security Issues No authentication – Spamming – Unauthorized use of relaying, DoS All communication done in plaintext – Eavesdropping – Man in the middle attacks VRFY, EXPN commands

13 SMTP Security Issues SMTP-AUTH: – An extension that adds access control to SMTP – A client may: indicate an authentication mechanism to the server perform an authentication protocol exchange optionally negotiate a security layer for subsequent protocol interactions

14 SMTP-AUTH SMTP-AUTH: – Only legitimate users can relay mail – Does not guarantee authenticity of envelope header or message header – Spoofing is still possible – The receiver can not tell if the sender was authenticated

15 SMTP-AUTH Based on Simple Authentication and Security Layer (SASL-RFC-2222) SASL uses plugins to define authentication mechanisms: – Plaintext password: PLAIN – Shared secret:CRAM-MD5, DIGEST-MD5 – Kerberos: KERBEROS_V4, GSSAPI

16 SMTP-AUTH S: 220 smtp.example.com ESMTP server ready C: EHLO jgm.example.com S: 250-smtp.example.com S: 250 AUTH CRAM-MD5 DIGEST-MD5 C: AUTH FOOBAR S: 504 Unrecognized authentication type. C: AUTH CRAM-MD5 S: 334 PENCeUxFREJoU0NnbmhNWitOMjNGNndAZWx3b29kLmlubm 9zb2Z0LmNvbT4= C: ZnJlZCA5ZTk1YWVlMDljNDBhZjJiODRhMGMyYjNiYmFlNzg 2ZQ== S: 235 Authentication successful.

17 SMTP-AUTH AUTH verb can also be applied to mail from: verb Allows trusted entities to communicate authentication of individual messages AUTH=<> : not authenticated – C: MAIL FROM: AUTH=e+3Dmc2@example.com – S: 250 OK

18 SMTP-AUTH Spoofing is still a problem Subject to man-in-the-middle attack Does not provide user authentication, only delivery authentication Subject to brute force attacks when username – password schemes are used

19 Secure SMTP over TLS Private, authenticated communication between client and server Defines a new verb, STARTTLS – Takes no parameters – Used to tell client that the server is TLS capable – Used to start a TLS handshake by client

20 Secure SMTP over TLS Sample communication: – S: – C: – S: 220 mail.imc.org SMTP service ready – C: EHLO mail.ietf.org – S: 250-mail.imc.org offers a warm hug of welcome – S: 250 STARTTLS – C: STARTTLS – S: 220 Go ahead – C: – C & S: – C:...

21 Secure SMTP over TLS If security level is enough: – All info before handshake is discarded – Client should send a EHLO again: The server may report different services Security considerations: – Not end-to-end SMTP is not end-to-end The entire chain has to be made secure – Does not indicate authentication for the receiving client

22 Secure SMTP over TLS Decision on adequateness of security – Must be made locally – Implementation dependent Susceptible to man-in-the-middle attack: – The STARTTLS response from server may be deleted by an eavesdropper – Client never knows that server is TSL capable

23 Secure SMTP over TLS Solution to man-in-the-middle attack: – Client records if a server offers TLS – Generates a warning if it is not offered in later sessions Can not be used to authenticate author: – Every chain needs to be authenticated – Other mechanisms are used for this purpose PGP, MIME, etc.

24 Securing Email PGP is a key encryption program mainly intended for email privacy and authentication. PGP email encryption uses asymmetric key encryption algorithms. MIME is used to provide authentication, digital signature, data security,privacy, message integrity and encryption for messages

25 PGP

26 Conclusion Spamming is a serious issue – Open mail relays – Open proxies – Worms that make servers vulnerable Methods presented here do not provide end-to- end security – PGP, MIME must be used

27 Any Queries?

28 Thank You!

Download ppt "SIMPLE MAIL TRANSFER PROTOCOL SECURITY Guided By Prof : Richard Sinn Bhavesh Jadav Mayur Mulani."

Similar presentations

Spring 2012: CS419 Computer Security Vinod Ganapathy SSL, etc.

Spring 2012: CS419 Computer Security Vinod Ganapathy SSL, etc.
Securing Email Bruce Maggs. Separate Suites of Protocols Protocols for retrieving email: POP, IMAP, MAPI (Microsoft Exchange) Protocols for sending email:

Securing Bruce Maggs. Separate Suites of Protocols Protocols for retrieving POP, IMAP, MAPI (Microsoft Exchange) Protocols for sending
Cryptography and Network Security

Cryptography and Network Security
An Introduction to Secure Sockets Layer (SSL). Overview Types of encryption SSL History Design Goals Protocol Problems Competing Technologies.

An Introduction to Secure Sockets Layer (SSL). Overview Types of encryption SSL History Design Goals Protocol Problems Competing Technologies.
Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.

Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.
BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.

BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.
INTRANET MAIL SERVER (DESIGN OF SMTP and POP3)

INTRANET MAIL SERVER (DESIGN OF SMTP and POP3)
SMTP – Simple Mail Transfer Protocol

SMTP – Simple Mail Transfer Protocol
Chapter 6: Distributed Applications Business Data Communications, 5e.

Chapter 6: Distributed Applications Business Data Communications, 5e.
CSCE 515: Computer Network Programming Chin-Tser Huang University of South Carolina.

CSCE 515: Computer Network Programming Chin-Tser Huang University of South Carolina.
TCP/IP Protocol Suite 1 Chapter 20 Upon completion you will be able to: Electronic Mail: SMTP, POP, and IMAP Understand four configurations of email architecture.

TCP/IP Protocol Suite 1 Chapter 20 Upon completion you will be able to: Electronic Mail: SMTP, POP, and IMAP Understand four configurations of architecture.
CPSC 441: FTP & SMTP1 Application Layer: FTP & Instructor: Carey Williamson Office: ICT 740 Class.

CPSC 441: FTP & SMTP1 Application Layer: FTP & Instructor: Carey Williamson Office: ICT Class.
Simple Mail Transfer Protocol (SMTP) CS-328 Dick Steflik.

Simple Mail Transfer Protocol (SMTP) CS-328 Dick Steflik.
Chapter 30 Electronic Mail Representation & Transfer

Chapter 30 Electronic Mail Representation & Transfer
Esimerkki: Sähköposti. Lappeenranta University of Technology / JP, PH, AH Electronic Mail Three major components: user agents mail servers simple mail.

Esimerkki: Sähköposti. Lappeenranta University of Technology / JP, PH, AH Electronic Mail Three major components: user agents mail servers simple mail.
Simple Mail Transfer Protocol (SMTP) Team: Zealous Team: Zealous Presented By: Vishal Parikh (003749955) Vishal Parikh (003749955) Ribhu Pathria(004698318)

Simple Mail Transfer Protocol (SMTP) Team: Zealous Team: Zealous Presented By: Vishal Parikh ( ) Vishal Parikh ( ) Ribhu Pathria( )
SMTP Simple Mail Transfer Protocol. Content I.What is SMTP? II.History of SMTP III.General Features IV.SMTP Commands V.SMTP Replies VI.A typical SMTP.

SMTP Simple Mail Transfer Protocol. Content I.What is SMTP? II.History of SMTP III.General Features IV.SMTP Commands V.SMTP Replies VI.A typical SMTP.
Simple Mail Transfer Protocol

Simple Mail Transfer Protocol
Chapter 7: Internet-Based Applications Business Data Communications, 6e.

Chapter 7: Internet-Based Applications Business Data Communications, 6e.
Architecture of Email SMTP, POP, IMAP, MIME.

Architecture of SMTP, POP, IMAP, MIME.

Similar presentations

Ads by Google