Federal Network Security Federal Interagency Technical Reference Architectures Electronic Mail Gateway Security Reference Architecture Version 1.0 12/12/2011 Department of Homeland Security National Cyber Security Division Federal Network Security Network & Infrastructure Security Electronic Mail Gateway Reference Architecture v1.0 Revision History Date Version Description Approved By 12/12/2011 1.0 Initial Version CS&C Electronic Mail Gateway Reference Architecture v1.0 Table of Contents ACKNOWLEDGEMENTS............................................................................................................................................... 1 STAKEHOLDERS ................................................................................................................................................................ 1 PARTICIPANTS................................................................................................................................................................... 1 1 PURPOSE AND SCOPE ......................................................................................................................................... 2 2 ELECTRONIC MAIL GATEWAY ARCHITECTURAL COMPONENTS ................................................. 2 2.1 SYSTEM OVERVIEW ................................................................................................................................................ 3 2.2 INBOUND MAIL TRANSFER AGENT (MTA) ........................................................................................................... 4 2.3 OUTBOUND MAIL TRANSFER AGENT (MTA) ....................................................................................................... 4 2.4 BILATERAL MAIL RELAY/EXCHANGER (MTA) .................................................................................................... 5 2.5 MOBILE MESSAGING .............................................................................................................................................. 5 3 SECURITY PATTERNS ......................................................................................................................................... 5 3.1 SECURITY USE CASES ............................................................................................................................................ 5 3.1.1 Pattern 1: Inbound Electronic Mail ........................................................................................................... 5 3.1.2 Pattern 2: Outbound Electronic Mail......................................................................................................... 6 3.1.3 Pattern 3: Mobile Messaging...................................................................................................................... 6 3.2 SECURITY ARCHITECTURE COMPONENTS ............................................................................................................. 6 3.2.1 Pipeline Structure ........................................................................................................................................ 7 3.2.2 Data Loss Prevention ................................................................................................................................11 3.2.3 Content Compliance ..................................................................................................................................11 3.2.4 Malware Filtering......................................................................................................................................11 3.2.5 Domain Validation.....................................................................................................................................12 3.2.6 SPAM Filtering ..........................................................................................................................................12 3.2.7 Agency Specific Modules...........................................................................................................................12 3.3 SECURITY REQUIREMENTS................................................................................................................................... 13 3.3.1 Inbound Gateway Mail Transfer Agent (MTA) Requirements................................................................13 3.3.2 Outbound Gateway Mail Transfer Agent (MTA) Requirements .............................................................13 3.3.3 Mail Submission Agent Requirements ......................................................................................................14 3.3.4 Mail Delivery Agent Requirements...........................................................................................................14 3.3.5 Mail User Agent Requirements .................................................................................................................14 3.3.6 Domain Name System (DNS) Requirements ............................................................................................14 3.3.7 Firewall Requirements ..............................................................................................................................15 3.3.8 Logging Requirements...............................................................................................................................15 3.3.9 System Monitoring and Control................................................................................................................16 3.3.10 Archiving Requirements .......................................................................................................................16 3.3.11 Audit Requirements...............................................................................................................................16 4 SYSTEMIC THREATS & MITIGATIONS ......................................................................................................16 5 SECURITY CONFIGURATION.........................................................................................................................22 6 APPENDIX A: SAMPLE SPF RECORDS ........................................................................................................23 7 APPENDIX B: SAMPLE DKIM DOMAIN RECORD ENTRY ....................................................................24 8 APPENDIX C: ACRONYMS – COMMON ABBREVIATIONS...................................................................26 9 APPENDIX D: GLOSSARY – COMMON TERMS AND DEFINITIONS..................................................28 10 APPENDIX E: S ELECTED EXISTING GUIDANCE.....................................................................................32 10.1 LEGISLATION .............................................................................................................................................. 32 10.2 POLICIES, DIRECTIVES, REGULATIONS, AND MEMORANDA....................................................... 32 Electronic Mail Gateway Reference Architecture v1.0 10.3 STANDARDS................................................................................................................................................. 32 10.4 GUIDELINES ................................................................................................................................................. 33 10.5 IETF RFCS ...................................................................................................................................................... 36 Electronic Mail Gateway Reference Architecture v1.0 Figures FIGURE 1 - MAIL SYSTEM FUNCTIONAL COMPONENTS ....................................................................................................... 4 FIGURE 2 - SMTP TRANSFER MODEL ................................................................................................................................... 7 FIGURE 3 - INBOUND MTA PIPELINE.................................................................................................................................... 8 FIGURE 4 - OUTBOUND MTA PIPELINE .............................................................................................................................. 10 Electronic Mail Gateway Reference Architecture v1.0 Acknowledgements This document is the product of a multi-agency collaboration to provide guidance for the successful and secure implementation of Electronic Mail Gateways at Federal civilian agencies. It further expands on the Critical and Recommended Content Filtering capabilities found in the Trusted Internet Connections (TIC) Reference Architecture v2. This document will be reviewed annually and updated when necessary to incorporate required capabilities and applicable interoperability standards. Stakeholders All Federal civilian agencies Office of Management and Budget (OMB), Office of E-Government and Information Technology Federal Chief Information Office (CIO) Council Federal Small Agency CIO Council Department of Homeland Security (DHS) National Cyber Security Division (NCSD) Federal Systems Security Governance Board (FSSGB) DHS Information Systems Security Line of Business (ISS LoB) DHS United States Computer Emergency Readiness Team (US-CERT) General Services Administration (GSA) Information Technology Infrastructure Line of Business (ITI LoB) Participants Name Agency Name Agency Jim Quinn DHS Eric Pratsch SRA-Touchstone Marilyn Rose DHS Robert Moore SRA-Touchstone Oscar Ahumada DHS Marcos Evangelista STATE Sean Donelan DHS Janice Ousley Treasury/IRS