Mail Protocol, Postfix and Mail security
SANOG34 – Kolkata 3-7 August – 2019 HowHow Email Email Appears Appears to to Work Works
SANOG34 – Kolkata 3-7 August – 2019 2 HowHow Email Email ReallyReally Works Works
SANOG34 – Kolkata 3-7 August – 2019 3 Message Format
• Envelop – Routing information for the "postman" • Message Header – Sender – Recipients (simple, lists, copies, blind copies) – Other fields of control (date, subject) • Message Body – Free text – Structured document (i.e.: MIME)
SANOG34 – Kolkata 3-7 August – 2019 Message Format
From: GZ Kabir
Hi Kong, I'm going to be running a course on ...
ü Format was originally defined by RFC 822 in 1982 ü Now superseded by RFC 2822 ü Message consists of ü Header lines ü A blank line ü Body lines
SANOG34 – Kolkata 3-7 August – 2019 Message Format • Embedded MUA uses inter-process call to send to MTA
• Freestanding MUA uses SMTP to send mail
• Headers added by the MUA before sending From: GZ Kabir
To: Diep Kong < [email protected] > Cc: Moin < [email protected] > Subject: How Internet mail works
Hi Kong, I'm going to be running a course on ...
SANOG34 – Kolkata 3-7 August – 2019 Mail Delivery Agent (MDA) / Mail Transfer Agent (MTA)
• Headers added by MTAs
From: GZ Kabir
SANOG34 – Kolkata 3-7 August – 2019 A message in Transit • A message is transmitted with an envelope: – MAIL FROM:
SANOG34 – Kolkata 3-7 August – 2019 An SMTP Session telnet mail7i.protonmail.ch 25 Received: from ... 220 mail7i.protonmail.ch ESMTP Postfix ... From: ... EHLO mail-pg0-f54.google.com 250- mail7i.protonmail.ch ... To: ... 250-SIZE 10485760 etc... 250-PIPELINING 250 OK id=10sPdr-00034H-00 250 HELP quit 221 mail-pg0-f54.google.com closing MAIL FROM:
SANOG34 – Kolkata 3-7 August – 2019 DNS Resolution and Transfer Process
To find the recipient's IP address and mailbox, the MTA must drill down through the DNS system, which consists of a set of servers distributed across the Internet beginning with the root name servers
root servers refer requests for a given domain to the root nameservers that handle requests for that tld – MTA can bypass this step because it has already knows which domain nameservers handle requests for these .tlds e.g. bofh.im asks the appropriate DNS server which Mail Exchange (MX) servers have knowledge of the subdomain or local host in the email address
DNS server responds with an MX record: a prioritized list of MX servers for this domain
To the DNS server, the server that accepts messages is an MX server. When is transferring messages, it is called an MTA.
MTA contacts the MX servers on the MX record in order of priority until it finds the designated host for that address domain
sending MTA asks if the host accepts messages for the recipient's username at that domain (i.e., [email protected]) and transfers the message
SANOG34 – Kolkata 3-7 August – 2019 Firewalls, Spam and Virus Filters
Firewalls, An email encountering Spam a firewall and Virus Filters may be tested by spam and • An email encounteringvirus filters beforea firewall it is allowed may be tested byto spam pass inside and the virus firewall filters before it is allowedfilters test to to pass see if inside the the firewall message qualifies as spam or malware • filters test to see if the message qualifies as Ifspam the message or malware contains malware, the file is usually • If the messagequarantined contains and malware, the sender is the file is usuallynotified quarantined and
the sender isIf thenotified message is identified as spam, it will probably be • If the messagedeleted is identified without notifying as spam, the it will probablysender be. deleted without notifying the sender. 1 6 SANOG34 – Kolkata 3-7 August – 2019 Mail Transfer Agents (MTA)
MTAs do the actual mail transfers MTAs are not meant to be directly accessed by users. Other MTA’s are: n Postfix n Qmail n MS Exchange n CC:Mail n Lotus Notes n ….etc.
SANOG34 – Kolkata 3-7 August – 2019 ESMTP (RFC 2821)
To get around the problems with simple SMTP, extended SMTP has been defined in RFC 2821. Clients wanting to use it should send an EHLO message instead of HELO initially. If this is rejected, then the server is a regular SMTP server, and the client should proceed in the usual way. If the EHLO is accepted, then new commands and parameters are allowed.
SANOG34 – Kolkata 3-7 August – 2019 POP3 Mail access protocol:
POST OFFICE PROTOCOL [RFC 1939]
Simple and limited functionality,Consists of client software and Server software, Server performs user authorization
IMAP: Internet mail access protocol [Version 4]
SANOG34 – Kolkata 3-7 August – 2019 POP3 Retrieves messages from a mail server
Typically, messages are downloaded to your mail client, and deleted from the server
Designed for use with dial-up connections when people were intermittently connected
Listens on Port 110 (with Secure POP generally on port 995)
SANOG34 – Kolkata 3-7 August – 2019 Webmail
SANOG34 – Kolkata 3-7 August – 2019 Webmail
Webmail (or web-based email) is any email client implemented as a web application running on a web server
• Online in nature • IMAP connections mostly • Secured HTTP (HTTPS) must • Can be hosted, e.g.: RoundCube, SquirrelMail, Horde, Zimbra, Rainloop, Kite, MailPile,iRedMail, etc. • Webmail Service providers : Gmail, Outlook, AOL, Yahoo, etc. • Privacy and Security Concern • Easy to configure, easy to host.
SANOG34 – Kolkata 3-7 August – 2019 Common Threat Landscape
• Eavesdropping • Spamming and Phishing • Spoofing • Malicious Email Attachments • Replying and Forwarding Issues • CC & BCC Issues
SANOG34 – Kolkata 3-7 August – 2019 Short History
• Originally developed in the late 90s at IBM by Wietse Venema, author of security software (SATAN, TCPwrappers, ...), as ”IBM Secure Mailer” • Place under an Open Source license, and renamed ”Postfix” • Intended as a replacement for then insecure mail systems, such as Sendmail
SANOG34 – Kolkata 3-7 August – 2019 Design Goals
• Safety • Robustness • Performance • Modularity • Compatibility
SANOG34 – Kolkata 3-7 August – 2019 Safety
• Postfix makes it very hard to lose mails – many checks to ensure that mail has been written to disk or delivered • Back off mechanisms in case of repeated failure
SANOG34 – Kolkata 3-7 August – 2019 Security • Collection of daemons working together Doesn't use environment for communication • Very paranoid about input checking, all allocation is dynamic (avoiding buffer overflows) • chroot support out of the box for almost all processes & daemons • No data is ever exchanged directly between processes – all is done via IPC, and files on disk • Conservative resource usage
SANOG34 – Kolkata 3-7 August – 2019 Performance
• Designed to be fast from the ground up • Also behaves well with neighbors, doesn't flood them with mail, and instead uses a throughput adaptation • Will not block delivery for a message if one recipient domain fails
SANOG34 – Kolkata 3-7 August – 2019 Modular
• One program, one function All programs controlled from ”master.cf” • Many small programs working together, with limited privileges • Compatible with Sendmail's /etc/aliases and .forward conventions
SANOG34 – Kolkata 3-7 August – 2019 Features
• Virtual domains – domains and users are completely independent of system (UNIX) users • Aliases – sendmail compatible Rewriting – senders, recipients, globally RBL support (Realtime Blackhole Lists) support Content filtering using pipes, SMTP or milter • Support for arbitrary mail manipulation with policy services (custom programs talking to postfix)
SANOG34 – Kolkata 3-7 August – 2019 More Features
• Restriction classes Conditional filtering • Sender or recipient address verification (test email addresses before accepting mail from them) • TLS support
SANOG34 – Kolkata 3-7 August – 2019 Basic Postfix Configuration
• Two primary configuration files – main.cf • Main configuration file where all the subsystems are configured (smtp, smtpd, cleanup, routing, ...) – master.cf • File controlling how the ”master” process of postfix will launch all the necessary postfix daemons to perform mail routing, on-demand
SANOG34 – Kolkata 3-7 August – 2019 Other Configuration Details
• Reside in ”maps” mentioned earlier • Tables containing values and conditions, referred to from main.cf, controlling all aspects such as: – Virtual and local domains – Routing rules – Access control – Rewriting
– ...
SANOG34 – Kolkata 3-7 August – 2019 Configuration: postconf command
• postconf – used to view and edit configuration parameters • For changing the configuration, it is usually done vi editing ”main.cf” directly
SANOG34 – Kolkata 3-7 August – 2019 Some Basic main.cf smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination myhostname = group1.group01.net alias_maps = hash:/etc/aliases alias_database = hash:/etc/aliases myorigin = /etc/mailname mydestination = group1.group01.net, localhost.group01.net, , localhost relayhost = group1.group01.net mynetworks = 127.0.0.0/8 61.45.254.0/24 [2001:df0:a:4::]/64 [::ffff:127.0.0.0]/104 [::1]/128 mailbox_size_limit = 0 recipient_delimiter = + inet_interfaces = all inet_protocols = all
SANOG34 – Kolkata 3-7 August – 2019 Some Basic main.cf # TLS parameters smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key smtpd_use_tls=yes smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
SANOG34 – Kolkata 3-7 August – 2019 Some Basic main.cf ## in the file /etc/mailname group1.group01.net
## in the file /etc/aliases postmaster: root sysadm: apnic
SANOG34 – Kolkata 3-7 August – 2019 SANOG34 – Kolkata 3-7 August – 2019