Presentation is loading. Please wait.

Presentation is loading. Please wait.

Securing Email Bruce Maggs. Separate Suites of Protocols Protocols for retrieving email: POP, IMAP, MAPI (Microsoft Exchange) Protocols for sending email:

Published byClifford Sullivan Modified over 8 years ago

Similar presentations

Presentation on theme: "Securing Email Bruce Maggs. Separate Suites of Protocols Protocols for retrieving email: POP, IMAP, MAPI (Microsoft Exchange) Protocols for sending email:"— Presentation transcript:

1 Securing Email Bruce Maggs

2 Separate Suites of Protocols Protocols for retrieving email: POP, IMAP, MAPI (Microsoft Exchange) Protocols for sending email: SMTP 2

3 POP (Post Office Protocol) Current version is POP3, RFC 1939. Client connects to POP server on port 110 Originally, everything was sent in the clear. Yes, everything, including user name, password, and your mail. Now it’s common to connect instead to port 995 using SSL/TLS, same PKI as Web. 3

4 POP3 Dialog S: C: S: +OK POP3 server ready C: USER mrose S: +OK User accepted C: PASS tanstaaf S: +OK Pass accepted C: STAT S: +OK 2 320 C: LIST S: +OK 2 messages (320 octets) S: 1 120 S: 2 200 S:. C: RETR 1 S: +OK 120 octets S: C: QUIT S: +OK dewey POP3 server signing off (maildrop empty) C: S: 4

5 Experimenting with a POP3 Server telnet mail.cs.duke.edu 110 openssl s_client -connect mail.cs.duke.edu:995 -quiet 5 openssl s_client creates a TLS session between client and server and supports text-based interaction – useful for debugging

6 Autenticated Post Office Protocol (APOP, RFC 1460) S: C: S: +OK POP3 server ready C: APOP mrose c4c9334bac560ecc979e58001b3e22fb S: +OK mrose's maildrop has 2 messages (320 octets) 6 Other authentication methods include SASL and Kerberos. in this example, session is not encrypted 1896.697170952 is a time stamp shared secret is the password " tanstaaf “ Client applies MD5 algorithm to the string tanstaaf which produces a digest value of c4c9334bac560ecc979e58001b3e22fb Password not sent in the clear, digest can’t be reused

7 IMAP (Internet Message Access Protocol) Current version is IMAP4, RFC 3501. Client connects to IMAP server on port 143. Originally, user name, password, mail sent in the clear. Now connect to port 993 using SSL/TLS. 7

8 IMAP Dialog S: * OK IMAP4rev1 Service Ready C: a001 login mrc secret S: a001 OK LOGIN completed C: a002 select inbox S: * 18 EXISTS S: * FLAGS (\Answered \Flagged \Deleted \Seen \Draft) S: * 2 RECENT S: * OK [UNSEEN 17] Message 17 is the first unseen message S: * OK [UIDVALIDITY 3857529045] UIDs valid S: a002 OK [READ-WRITE] SELECT completed C: a003 fetch 12 full 8

9 More IMAP Authentication Mechanisms (RFC 1731) Kerberos, S/Key (like APOP example), GSSAPI (GSSAPI is a standardized API, typically wrapped around Kerberos) Kerberos example: S: * OK IMAP4 Server C: A001 AUTHENTICATE KERBEROS_V4 S: + AmFYig== random 32-bit number C: BAcAQU5EUkVXLkNNVS5FRFUAOCAsho84kLN3/IJmrMG+25a4DT +nZImJjnTNHJUtxAA+o0KPKfHEcAFs9a3CL5Oebe/ydHJUwYFd WwuQ1MWiy6IesKvjL5rL9WjXUb9MwT9bpObYLGOKi1Qh service ticket for the principal imap.hostname@realm and authenticator for client (encrypted checksum in authenticator contains 32-bit number) S: + or//EoAADZI= C: DiAF5A4gA+oOIALuBkAAmw== S: A001 OK Kerberos V4 authentication successful 9

10 SMTP (Simple Mail Transfer Protocol) Currently described in RFC 5321 Client connects to SMTP server on port 25 Originally everything was sent in the clear Originally client could send mail without authenticating! *** SPAM *** ***FORGERY*** Port 465 used for SSL/TLS Sender’s SMTP server relays mail to receiver’s SMTP server DNS Mail Exchanger (MX) records used to resolve mail domain name to IP address of SMTP server of recipient, e.g., bmm@cs.duke.edu 10

11 DNS MX Record 11

12 SMTP Dialog S: 220 smtp.example.com ESMTP Postfix C: HELO relay.example.org S: 250 Hello relay.example.org, I am glad to meet you C: MAIL FROM: S: 250 Ok C: RCPT TO: S: 250 Ok C: RCPT TO: S: 250 Ok C: DATA S: 354 End data with. C: From: "Bob Example" C: To: "Alice Example" C: Cc: theboss@example.com C: Date: Tue, 15 January 2008 16:02:43 -0500 C: Subject: Test message C: C: Hello Alice. C: This is a test message with 5 header fields and 4 lines in the message body. C: Your friend, C: Bob C:. S: 250 Ok: queued as 12345 C: QUIT S: 221 Bye {The server closes the connection} 12

13 STARTTLS Instead of using separate ports for SSL/TLS connections, POP, IMAP, SMTP connections can be converted from plain text to encryped communications through the use of the STARTTLS command. S: C: S: 220 mail.example.org ESMTP service ready C: EHLO client.example.org S: 250-mail.example.org offers a warm hug of welcome S: 250 STARTTLS C: STARTTLS S: 220 Go ahead C: C & S: C: EHLO client.example.org 13

14 SMTP AUTH Extension S: 220 smtp.example.com ESMTP Server C: EHLO client.example.com S: 250-smtp.example.com Hello client.example.com S: 250-AUTH GSSAPI DIGEST-MD5 S: 250-ENHANCEDSTATUSCODES S: 250 STARTTLS C: STARTTLS S: 220 Ready to start TLS... TLS negotiation proceeds. Further commands protected by TLS layer... C: EHLO client.example.com S: 250-smtp.example.com Hello client.example.com S: 250 AUTH GSSAPI DIGEST-MD5 PLAIN C: AUTH PLAIN dGVzdAB0ZXN0ADEyMzQ= S: 235 2.7.0 Authentication successful 14 Client must log in (authenticate) to send mail. (In this example user name and password are encoded but not encrypted in PLAIN string.)

15 Warning! Mail relayed between two SMTP servers might not be encrypted. (Even if sender and recipient connect securely to their SMTP and IMAP servers.) 15

16 SORBS (SPAM and Open-Relay Blocking System) Database of bad SMTP (blacklisted) relays accessed through DNS Mail won’t be accepted from these relays (Also SPAMHAUS database.) 16

17 Ways to Prove your SMTP Relay is Legit Register reverse DNS name (weak) DKIM (DomainKeys Identified Mail) – relay signs headers with its private key, receiver can verify that sender is in the same domain (e.g., cs.duke.edu) as relay (no CAs, public keys distributed through DNS) SPF (Sender Policy Framework) – whitelist of which servers are permitted to originate email for which domains, accessed via DNS 17

18 Signing Your Email PGP (Pretty Good Privacy) Certificate signed by certificate authority, e.g., Comodo. 18

19 PGP Developed by Phil Zimmerman OpenPGP standard described in RFC 4880 Public key bound to user name or email address No centralized certificate authority in original design Public keys can be signed by other users attesting to their authenticty, often at key-signing parties Supported in Thunderbird, Pine, with plug-in in Outlook. 19

20 Comodo Verifies that you can receive email at the address that you want a certificate for. 20

21 Retrieve Certificate Chrome downloads and stores certificate. 21

22 Install in Thunderbird (easier if downloaded to Firefox than Chrome) 22

23 My First Signed Message 23

Download ppt "Securing Email Bruce Maggs. Separate Suites of Protocols Protocols for retrieving email: POP, IMAP, MAPI (Microsoft Exchange) Protocols for sending email:"

Similar presentations

Securing Email Bruce Maggs. Separate Suites of Protocols Protocols for retrieving email: POP, IMAP, MAPI (Microsoft Exchange) Protocols for sending email:

Securing Bruce Maggs. Separate Suites of Protocols Protocols for retrieving POP, IMAP, MAPI (Microsoft Exchange) Protocols for sending
Email Protocols and Troubleshooting Brandon Checketts.

Protocols and Troubleshooting Brandon Checketts.
INTRANET MAIL SERVER (DESIGN OF SMTP and POP3)

INTRANET MAIL SERVER (DESIGN OF SMTP and POP3)
1 Electronic Mail u Three major components: u user agents u mail servers u simple mail transfer protocol: SMTP u User Agent u a.k.a. “mail reader” u composing,

1 Electronic Mail u Three major components: u user agents u mail servers u simple mail transfer protocol: SMTP u User Agent u a.k.a. “mail reader” u composing,
CPSC 441: FTP & SMTP1 Application Layer: FTP & Instructor: Carey Williamson Office: ICT 740 Class.

CPSC 441: FTP & SMTP1 Application Layer: FTP & Instructor: Carey Williamson Office: ICT Class.
Electronic Mail and SMTP

Electronic Mail and SMTP
POP3 Post Office Protocol v.3. Intro The Post Office Protocol (POP) is currently the most popular TCP/IP e-mail access and retrieval protocol. It implements.

POP3 Post Office Protocol v.3. Intro The Post Office Protocol (POP) is currently the most popular TCP/IP access and retrieval protocol. It implements.
Esimerkki: Sähköposti. Lappeenranta University of Technology / JP, PH, AH Electronic Mail Three major components: user agents mail servers simple mail.

Esimerkki: Sähköposti. Lappeenranta University of Technology / JP, PH, AH Electronic Mail Three major components: user agents mail servers simple mail.
Dave Roberts.  Dynamic Host Configuration Protocol  DHCP  Simple Mail Transport Protocol  SMTP 2.

Dave Roberts.  Dynamic Host Configuration Protocol  DHCP  Simple Mail Transport Protocol  SMTP 2.
Simple Mail Transfer Protocol

Simple Mail Transfer Protocol
2440: 141 Web Site Administration Email Services Instructor: Enoch E. Damson.

2440: 141 Web Site Administration Services Instructor: Enoch E. Damson.
Introduction 1 Lecture 7 Application Layer (FTP, e-mail) slides are modified from J. Kurose & K. Ross University of Nevada – Reno Computer Science & Engineering.

Introduction 1 Lecture 7 Application Layer (FTP, ) slides are modified from J. Kurose & K. Ross University of Nevada – Reno Computer Science & Engineering.
Mail Server Fitri Setyorini. Content SMTP POP3 How mail server works IMAP.

Mail Server Fitri Setyorini. Content SMTP POP3 How mail server works IMAP.
E-mail-I CS-3505 Wb_e-mail-I.ppt. Email 4 The most useful feature of the internet 4 Lots of different email programs, but most of them can talk to each.

-I CS-3505 Wb_ -I.ppt. 4 The most useful feature of the internet 4 Lots of different programs, but most of them can talk to each.
SIMPLE MAIL TRANSFER PROTOCOL SECURITY Guided By Prof : Richard Sinn Bhavesh Jadav Mayur Mulani.

SIMPLE MAIL TRANSFER PROTOCOL SECURITY Guided By Prof : Richard Sinn Bhavesh Jadav Mayur Mulani.
Introduction 1-1 Chapter 2 FTP & Email Computer Networking: A Top Down Approach 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012 IC322 Fall.

Introduction 1-1 Chapter 2 FTP & Computer Networking: A Top Down Approach 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012 IC322 Fall.
 ENGR 1110 Introduction to Engineering – Cyber Security Allison Holt, Adam Brown Auburn University.

 ENGR 1110 Introduction to Engineering – Cyber Security Allison Holt, Adam Brown Auburn University.
Petrozavodsk State University, Alex Moschevikin, 2003NET TECHNOLOGIES E-mail Internet Protocols Simple Mail Transfer Protocol, SMTP RFC821 (August 1982)

Petrozavodsk State University, Alex Moschevikin, 2003NET TECHNOLOGIES Internet Protocols Simple Mail Transfer Protocol, SMTP RFC821 (August 1982)
2: Application Layer1 Chapter 2 Application Layer These slides derived from Computer Networking: A Top Down Approach, 6 th edition. Jim Kurose, Keith Ross.

2: Application Layer1 Chapter 2 Application Layer These slides derived from Computer Networking: A Top Down Approach, 6 th edition. Jim Kurose, Keith Ross.
11 SECURING INTERNET MESSAGING Chapter 9. Chapter 9: SECURING INTERNET MESSAGING2 CHAPTER OBJECTIVES  Explain basic concepts of Internet messaging. 

11 SECURING INTERNET MESSAGING Chapter 9. Chapter 9: SECURING INTERNET MESSAGING2 CHAPTER OBJECTIVES  Explain basic concepts of Internet messaging. 

Similar presentations

Ads by Google