Cisco Live 2018 Cap by Completing the Overall Event Evaluation and 5 Session Evaluations

Don’t Send – Deliver!

Hrvoje (Harry) Dogan, Technical Marketing Engineer BRKSEC-2337 Cisco Spark

Questions? Use Cisco Spark to communicate with the speaker after the session

How 1. Find this session in the Cisco Live Mobile App 2. Click “Join the Discussion” 3. Install Spark or go directly to the space 4. Enter messages/questions in the space

In the past years, we've seen new and ingenious ways to exploit email as a threat vector. This, in turn, has brought in many new mechanisms to evaluate authenticity, content and sources of email. More than ever, senders - especially large volume senders - are struggling with getting all of their emails delivered, and keeping all of their email sources in good standing with blacklist and security intelligence providers. This session will show, through established best practices and industry examples, how to ensure that your email is deliverable. Along the way, it will make your email infrastructure, and your email traffic, more resilient, secure and Internet-friendly. We will discuss different techniques used by large email providers, and how to make sure they always like you. Basic knowledge of email operation and SMTP is required. Acquaintance with email authentication will be beneficial to understand the material. Agenda

• To Send ≠ To Deliver

• Different Faces of Reputation

• Message Properties

• Concurrency

• Delivery Infrastructure

• Be A Good Citizen About The Author Hrvoje (Harry) Dogan

• Joined Cisco through IronPort acquisition in 2007

• SE, then CSE for Central and Eastern Europe, Europe Emerging...

• Instructor Trainer for ESA/WSA, author of multiple whitepapers and Cisco Live sessions on Email and Web security

• In 2011, moved to Security Business Group to join the product team

• In 2015, relocated to Singapore to cover APJ+GC regions

• Cisco Live Distinguished Speaker 2014, 2016, 2017

• Avid sailor, aspiring rock climber and retiring SCUBA diver

• Ingress Enlightened agent and operator Presentation Theme

Source: https://en.wikipedia.org/wiki/Singlish, retrieved on 12th of December, 2017 What’s Going On? You ask me I ask who? I am not the right person to answer this question

Don't worry, sure can one. Don't worry; it'll work. A Piece of Mail Was Sent

Joe Uhl, VP of Operations, MailChimp, in https://www.wired.com/2016/07/mailchimp-sends-billion-emails-day-thats-easy-part/

User experience and email delays

Additional stress on your delivery infrastructure

Additional stress on 3rd parties’ receiving infrastructure

EHLO domain.com 554 Rejected due to policy restrictions

EHLO domain.com 550 [RBL] Sender blocked domain.com

550 mail.server.com ESMTP Connection rejected. Your IP 10.18.3.47 is in RBL

EHLO domain.com 550 OU-002 Mail rejected by Windows Live Hotmail for policy reasons. Reasons for rejection may be related to content with spam-like characteristics or IP/domain reputation problems. If you are not an email/network admin please contact your E-mail/Internet Service Provider for help. Email/network admins, please visit http://postmaster.live.com for email delivery information and support

IP Blacklisting

AS Blacklisting

Monetary charges for delisting

• Sending host reputation

• Sender Domain Reputation

• Reputation by Network Proximity

• AS Reputation

• Network Owner Reputation

• …

You want do how you do how. You can do it any way you like. Message Properties Overall considerations

Correct Encoding Correct MIME

Message Format Correct Time

What Are You Sending??

Sender’s Computer Encoding: BIG5 Receiver’s Computer Encoding: BIG5

BRKSEC-2337 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 22 Text Can Be Encoded In Many Ways! Exchange Encoding: GB2312 Sender’s Computer Encoding:-- BIG5Boundary_(ID_nI+mPHhd2wki+0PBonlpeA) Receiver’s Computer Encoding: BIG5 Content-type: text/plain; charset=gb2312 Content-transfer-encoding: 8BIT FYR

______èƒ: Íê÷¡…∆ ºƒº˛»’∆⁄: 2014ƒÍ4‘¬23»’ œ¬ŒÁ 04:29 ÷¡: ≈Ìº∞ªÕ; Ñ¢∂°À…; Íê÷¡…∆; ÕıÔwòÂ; óÓçã∫¿; ¡÷è©–¢ ∏±±æ: ¡÷±˛›x; «Òø°Œƒ ÷˜÷º: RE: LCS1-üo∑®å¶ë™7/15ñ|‘£≤øΩY≤ø∆∑Ã·≥ˆ

Ω®◊h:

¨Fë™‘ì“—ﬂM»ÎAPQP-3ÎA∂Œ

BRKSEC-2337 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 23 Setting a Default Encoding on the ESA esa1> scanconfig Configure encoding to use when none is There are currently 5 attachment type specified for plain body text oranything mappings configured to be SKIPPED. with MIME type plain/text or plain/html. 1. US-ASCII Choose the operation you want to perform: 2. Unicode (UTF-8) - NEW - Add a new entry. 3. Unicode (UTF-16) - DELETE - Remove an entry. 4. Western European/Latin-1 (ISO 8859-1) - SETUP - Configure scanning behavior. 5. Western European/Latin-1 (Windows CP1252) - IMPORT - Load mappings from a file. 6. Traditional Chinese (Big 5) - EXPORT - Save mappings to a file. 7. Simplified Chinese (GB 2312) - PRINT - Display the list. 8. Simplified Chinese (HZ GB 2312) - CLEAR - Remove all entries. 9. Korean (ISO 2022-KR) - SMIME - Configure S/MIME unpacking. 10. Korean (KS-C-5601/EUC-KR) - CLUSTERSET - Set how scanconfig is 11. Japanese (Shift-JIS (X0123)) configured in a cluster. 12. Japanese (ISO-2022-JP)13. Japanese - CLUSTERSHOW - Display how scanconfig is (EUC)[1]> 2 configured in a cluster. []> setup

Setting default encoding will NOT help if encoding is specified in the message, but is incorrect!

• Text can be encoded in many ways

• Headers have encoding, too! • RFC2047: Message Header Extensions for Non-ASCII Text

Subject: [MARKETING] Merry Christmas 

• Text can be encoded in many ways

• Headers have encoding, too! • RFC2047: Message Header Extensions for Non-ASCII Text

Subject: [MARKETING] Merry=?utf -8?Q?Merry=20Christmas=C2=A0=F0=9F=8E=84?=Christmas 

BRKSEC-2337 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 26 MIME-Version: 1.0 Content-type: multipart/mixed; boundary="B_3597992599_406827548" > This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. --B_3597992599_406827548 Content-type: multipart/alternative; boundary="B_3597992599_1713911382" --B_3597992599_1713911382 Content-type: text/plain; charset="UTF-8” Content-transfer-encoding: 7bit […] --B_3597992599_1713911382 Content-type: text/html; charset="UTF-8” Content-transfer-encoding: quoted-printable […] --B_3597992599_1713911382-- --B_3597992599_406827548 Content-type: application/pdf; name="4854861.pdf"; x-mac-creator="4F50494D"; x-mac-type="50444620” Content-ID: [email protected] Content-disposition: attachment; filename="4854861.pdf” Content-transfer-encoding: base64 […] --B_3597992599_406827548--

• Make sure that ALL of your MIME is done right! • All enclosures and containers properly formatted and closed • All attachments properly named, encoded and with proper disposition • All text parts properly encoded • No duplicates!

Proper PRA Headers Proper Message-ID (From/Sender/Resent-From…)

Proper Return-Path Obey Line Length

Fold, Fold, Fold!!!

Select all Message Found Y From ? PRA Malformed headers N 0

Select first non-empty 1 Found MULTIPLE Resent-From ? header

Select all Impossible to Found Y Sender determine PRA ? headers

From:Proper Redacted PRA Redacted Headers [email protected] Proper Message-ID Date: (From/Sender/ResentWed, 3 Jan 2018 -15:35:59From…) -0800 Message-ID: CAD2i3WPum3O-3bYQdWOhDVUrjfq0PDWC3cmTTELeMqgguNECJg@mail.gmail.com To: "[email protected]" [email protected] Subject: Re: [dmarc-ietf] Clarifying the value of arc.closest-fail List-Unsubscribe: , mailto:dmarcProper [email protected]?subject=unsubscribe-Path Obey Line Length List-Subscribe: , mailto:[email protected]?subject=subscribe Errors-To: [email protected] Sender: dmarc [email protected] Return-Path: [email protected] Fold, Fold, Fold!!!

• DKIM Signature

• Marketing Or Bulk Messages:

• Have a meaningful disclaimer

• Advertise your unsubscribe policy!

• Do consider double opt-in (especially in the EU!)

• More EU: Sanitise your auto-replies of anything even remotely marketing-ish

• Be aware of local regulations, common practices, and habits (e.g. ”” tag)

• 1000 msgs/hr • 100 connections/hr • 500 recips/hr • 10 msgs/connection • 20 concurrent • 50-100 recips/msg connections

• NTP across all your systems!

• Use proper SMTP on the edge

• Use multiple IP addresses • per message class • per destination • for round-robin delivery

• DNS considerations

• SPF

• DMARC

BRKSEC-2337 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 37 Delivery Infrastructure Finally! Stuff to configure on Cisco Email Security! Authentication-Results: mx.redacted.com; dkim=permerror • NTP across all your systems! reason="verification error: signature timestamp in the future” [email protected] • Use proper SMTP on the edge

Connected to mx1.hc252-80.c3s2.iphmx.com. Escape character is '^]'. 220 esa1.hc252-80.c3s2.iphmx.com ESMTP EHLO cisco.com 250-esa1.hc252-80.c3s2.iphmx.com 250-8BITMIME 250-SIZE 104857600 250 STARTTLS MAIL FROM:[email protected] 501 #5.5.2 syntax error 'MAIL FROM:[email protected]'

BRKSEC-2337 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 38 Delivery Infrastructure Finally! Stuff to configure on Cisco Email Security! Connected to mx1.hc252-80.c3s2.iphmx.com. Escape• NTP character across is all '^]'.your systems! 220 esa1.hc252-80.c3s2.iphmx.com ESMTP EHLO• Usedir.hr proper SMTP on the edge 250-esa1.hc252-80.c3s2.iphmx.com 250•-8BITMIMEUse multiple IP addresses 250-SIZE 104857600 • 250 STARTTLSper message class MAIL •FROM:per [email protected] 250 sender ok • for round-robin delivery

• DNS considerations

•SunSPF Jan 14 18:07:21 2018 Info: New SMTP ICID 1126365 interface Data 1 (68.232.150.244) address 37.48.64.136 reverse dns host dir.hr verified yes Sun Jan 14 18:07:21 2018 Info: ICID 1126365 RELAY SG RELAYLIST match 37.48.64.136 SBRS •NoneDMARC country Netherlands Sun Jan 14 18:07:43 2018 Info: Start MID 189557 ICID 1126365 Sun Jan 14 18:07:43 2018 Info: MID 189557 ICID 1126365 From:

# cat 73.48.10.in-addr.arpa # cat 73.47.10.in-addr.arpa $TTL 86400 $TTL 86400 $ORIGIN 73.48.10.IN-ADDR.ARPA. $ORIGIN 73.47.10.IN-ADDR.ARPA. @ 1D IN SOA ns1.dir.hr. hostmaster.dir.hr. ( @ 1D IN SOA ns1.dir.hr. hostmaster.dir.hr. ( 2017122801 ; serial 2017122801 ; serial 3H ; refresh 3H ; refresh 15 ; retry 15 ; retry 1w ; expire 1w ; expire 3h ; minimum 3h ; minimum ) ) ; ; IN NS ns1.dir.hr. IN NS ns1.dir.hr. IN NS ns2.dir.hr. IN NS ns2.dir.hr. ; ; 11 IN PTR outbound-1.dir.hr. 23 IN PTR outbound-3.dir.hr. 24 IN PTR outbound-4.dir.hr.

BRKSEC-2337 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 42 Demo Flow # cat dir.hr $ORIGIN . $TTL 7200 ; 2 hours A 37.48.64.136 MX 0 mx1.hc252-80.c3s2.iphmx.com. MX 5 mx2.hc252-80.c3s2.iphmx.com. TXT "v=spf1 a mx mx:res.cisco.com ~all" # cat 230.20.172.in-addr.arpa TXT "v=spf2.0/pra a mx mx:res.cisco.com $TTL 86400 ?all” $ORIGIN 230.20.172.IN-ADDR.ARPA. $ORIGIN dir.hr. @ 1D IN SOA ns1.dir.hr. hostmaster.dir.hr. ( default._domainkey TXT "v=DKIM1\; 2017122801 ; serial p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDE499oJxjq9mP91iq 3H ; refresh arQs1d+U8xDaqUpqw964DMjPvznE33XTexawloNidWhcHN2YWkQQ5q7Rk 15 ; retry uY+qw3mC5nfjNw9bk71g6e8udzdnOov0QIatwL6FChRG9YhaxN19ExMB3 1w ; expire EfMzK65RRUPWD7L70m75D3oZWDZsaf327V0cWzMAwIDAQAB\;” 3h ; minimum _mta-sts TXT "v=STSv1\; id=2016122901\;” ) _smtp-tlsrpt TXT "v=TLSRPTv1\; ; rua=mailto:[email protected]” IN NS ns1.dir.hr. mta-sts CNAME rotkvica IN NS ns2.dir.hr. $ORIGIN mta-sts.dir.hr. ; policy CNAME rotkvica.dir.hr. $ORIGIN dir.hr. 44 IN PTR outbound-2.dir.hr. rotkvica A 37.48.64.136 MX 0 mx1.hc252-80.c3s2.iphmx.com. webmail A 37.48.64.136 www CNAME rotkvica delivery-1 A 10.48.73.11 delivery-2 A 172.20.230.44 delivery-3 A 10.47.73.23 delivery-4 A 10.47.73.24

(Machine esa1.hc252-80.c3s2.iphmx.com)> interfaceconfig Choose the operation you want to perform: - NEW - Create a new group. Currently configured interfaces: []> new 1. Data 1 (68.232.150.244/24 on Data 1: esa1.hc252- 80.c3s2.iphmx.com) Enter the name for this group. 2. dlvr1 (10.48.73.11/24 on Data 2: delivery-1.dir.hr) []> dlvr-rrgroup 3. dlvr2 (172.20.230.44/24 on Data 2: delivery-2.dir.hr) 4. dlvrmc (10.47.73.24/24 on Data 2: delivery-4.dir.hr) Enter the name or number of the interfaces to be 5. dlvrvip (10.47.73.23/24 on Data 2: delivery-3.dir.hr) included in this group. Separate your choices with commas or specify a range Choose the operation you want to perform: with a dash. - NEW - Create a new interface. 1. Data 1 (68.232.150.244/24: esa1.hc252- - EDIT - Modify an interface. 80.c3s2.iphmx.com) - GROUPS - Define interface groups. 2. dlvr1 (10.48.73.11/24: delivery-1.dir.hr) - DELETE - Remove an interface. 3. dlvr2 (172.20.230.44/24: delivery-2.dir.hr) []> groups 4. dlvrmc (10.47.73.24/24: delivery-4.dir.hr) 5. dlvrvip (10.47.73.23/24: delivery-3.dir.hr) Currently configured IP groups: [1]> 2,3 No groups defined.

Group dlvr-rrgroup created.

(Cluster Hosted_Cluster)> deliveryconfig []> setup

Default interface to deliver mail: Auto Choose the default interface to deliver mail. "Possible Delivery": Disabled 1. Auto Default system wide maximum outbound message delivery 2. Data 1 concurrency: 10000 3. dlvr1 Default system wide TLS maximum outbound message 4. dlvr2 delivery concurrency: 100 5. dlvrmc 6. dlvrvip Choose the operation you want to perform: IP Groups: - SETUP - Configure mail delivery. 7. dlvr-rrgroup - CLUSTERSET - Set how mail delivery is configured in a [1]> 7 cluster. - CLUSTERSHOW - Display how mail delivery is configured in a cluster. []>

(Cluster Hosted_Cluster)> altsrchost []> new

Choose the operation you want to perform: Enter the Envelope From address or client IP address for - NEW - Create a new mapping. which you want to set - IMPORT - Load new mappings from a file. up a Virtual Gateway(tm) mapping. Partial addresses - CLUSTERSET - Set how Virtual Gateways(tm) are such as "@example.com", configured in a cluster. "@.com", "user@", or "[email protected]" are allowed. - CLUSTERSHOW - Display how Virtual Gateways(tm) are []> @mastercard.com configured in a cluster. []> Which interface do you want to send messages for @mastercard.com from? 1. Data 1 2. dlvr1 3. dlvr2 4. dlvr3 5. dlvrmc [1]> 5

Mapping for @mastercard.com on interface dlvrmc created.

• NTP across all your systems!

• Use proper SMTP on the edge

• Use multiple IP addresses • per message class • per destination • for round-robin delivery

• DNS considerations

• SPF

• DMARC

No lah, where got? I can't, I don't have the time for that!

Come I clap for you. Your Delivery Infrastructure Is More Than Just SMTP! The Devil Is In The Details

• The Certificate Conundrum

• The Certificate Conundrum certconfig yadda yadda

• The Certificate Conundrum • Use proper, CA-issued certificates – more and more peers discriminate against self- signed certs • Listener/delivery interface certificates should indicate their FQDN in CN or SAN field • If possible, avoid using wildcard certificates • DANE and SMTP-STS will not work with wildcard certificates

• TLS and CES • Cisco will provide GoDaddy certificates for your CES hostnames free of charge • You need a certificate naming both your domain and your .iphmx.com hosts? • Generate a CSR with both domains • Submit a Domain Authorisation Letter to Cisco to allow you to use .iphmx.com objects in your TLS certificate • Domain Authorisation Letter template will be provided by your CA

• The Certificate Conundrum

• WHOIS data – especially abuse contacts!! $ whois cisco.com • DomainWorking Name: postmaster@, CISCO.COM abuse@ Registry Domain ID: 4987030_DOMAIN_COM-VRSN • RegistrarDNSSEC WHOIS – it’s Server: cool, becausewhois.corporatedomains.com it can give you DANE! Registrar URL: http://www.cscglobal.com/global/web/csc/digital-brand-services.html Updated Date: 2017-05-11T05:15:34Z • CreationIPv6? Don’t Date: forget1987-05 DNS!-14T04:00:00Z Registry Expiry Date: 2018-05-15T04:00:00Z • Registrar:You’re a bigCSC sender?Corporate JoinDomains, the globalInc. efforts! Registrar IANA ID: 299 Registrar• IETF working Abuse Contactgroups Email: [email protected] Registrar• MAAWG Abuse Contact Phone: 8887802723 Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited Domain• European Status: Email serverDeleteProhibited Association Trusted https://icann.org/epp#serverDeleteProhibited something something Domain Status: serverTransferProhibited https://icann.org/epp#serverTransferProhibited

• The Certificate Conundrum

• WHOIS data – especially abuse contacts!! Network Working Group D. Crocker Request for Comments: 2142 Internet Mail Consortium • Working postmaster@, abuse@ Category: Standards Track May 1997

MAILBOX NAMES FOR COMMON SERVICES, ROLES AND FUNCTIONS

Status of this Memo

This document specifies an Internet standards track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the "Internet Official Protocol Standards" (STD 1) for the standardization state and status of this protocol. Distribution of this memo is unlimited.

ABSTRACT

This specification enumerates and describes Internet mail addresses (mailbox name @ host reference) to be used when contacting personnel at an organization. Mailbox names are provided for both operations and business functions. Additional mailbox names and aliases are not prohibited, but organizations which support email exchanges with the Internet are encouraged to support AT LEAST each mailbox name for which the associated function exists within the organization. BRKSEC-2337 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 56 Your Delivery Infrastructure Is More Than Just SMTP! The Devil Is In The Details

• The Certificate Conundrum

• WHOIS data – especially abuse contacts!!

• Working postmaster@, abuse@

• DNSSEC – it’s cool, because it can give you DANE!

• The Certificate Conundrum

• WHOIS data – especially abuse contacts!!

• Working postmaster@, abuse@

• DNSSEC – it’s cool, because it can give you DANE!

• IPv6? Don’t forget DNS! https://engineering.linkedin.com/email/sending-and-receiving-emails-over-ipv6

• The Certificate Conundrum

• WHOIS data – especially abuse contacts!!

• Working postmaster@, abuse@

• DNSSEC – it’s cool, because it can give you DANE!

• IPv6? Don’t forget DNS!

• You’re a big sender? Join the global efforts! • IETF working groups • M3AAWG - https://www.m3aawg.org/ • Certified Senders Alliance - https://certified-senders.org/

• MAAWG Sender Best Communication Practices: https://www.m3aawg.org/sites/default/files/document/M3AAWG_Senders_BCP_Ver3-2015-02.pdf

• MAAWG Anti-Phishing Best Practices for ISPs and Mailbox providers: https://www.m3aawg.org/sites/default/files/M3AAWG_AWPG_Anti_Phishing_Best_Practices-2015-06.pdf

• MAAWG DKIM guidelines: https://www.m3aawg.org/sites/default/files/m3aawg-key-implementation-bp- revised-2017-07.pdf

• Gmail Postmaster Tools: https://support.google.com/mail/answer/6227174

• Gmail Bulk Sender Guidelines: https://support.google.com/mail/answer/81126

• Yahoo Postmaster: https://help.yahoo.com/kb/postmaster

• Give us your feedback and receive a Cisco Live 2018 Cap by completing the overall event evaluation and 5 session evaluations. • All evaluations can be completed via the Cisco Live Mobile App.

Don’t forget: Cisco Live sessions will be available for viewing on demand after the event at www.CiscoLive.com/Global.