Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Information Systems 7/1/03 Tom Coppeto MIT Mail System Security Issues 1 July 2003.

Published byNathan Davis Modified over 9 years ago

Similar presentations

Presentation on theme: "1 Information Systems 7/1/03 Tom Coppeto MIT Mail System Security Issues 1 July 2003."— Presentation transcript:

1 1 Information Systems 7/1/03 Tom Coppeto MIT Mail System Security Issues 1 July 2003

2 2 Information Systems 7/1/03 Tom Coppeto Agenda Introduction to the mail system Authentication Virus Filtering

3 3 Information Systems 7/1/03 Tom Coppeto The Mail System Mailhub Internet MIT Users DMZ (MX mit.edu) Outgoing Post Office Other MIT Mailers

4 4 Information Systems 7/1/03 Tom Coppeto The Mail System Acronymified MTA Internet MTA MUA/MSA MAA MTA MTA/MDA Other MIT MTA MUA: MAIL USER AGENT MSA: MAIL SUBMISSION AGENT MTA: MAIL TRANSFER AGENT MDA: MAIL DELIVERY AGENT MAA: MAIL ACCESS AGENT

5 5 Information Systems 7/1/03 Tom Coppeto SMTP Authentication MIT mail relays abused by spammers Outgoing is a quasi-open relay Need to further tighten outgoing to stop this The answer is SMTP authentication Only authorized users should be allowed to be an MSA and all MTA’s should not permit open relaying

6 6 Information Systems 7/1/03 Tom Coppeto SMTP Authentication (2) Benefits: –Reduction in mail abuse –Protected transfer of email messages –Gets around ISP’s who filter normal smtp traffic Costs: –Additional complexity in configuration Though not much –Older applications will need updating –System->system mail will require more work

7 7 Information Systems 7/1/03 Tom Coppeto SMTP Authentication (3) Secure transport (encryption) Authentication

8 8 Information Systems 7/1/03 Tom Coppeto SMTP Secure Transport The great thing about standards is that there are so many to choose from SMTPS –Tunnels SMTP within secure transport (SSL) –Supported by some clients such as outlook, entourage and Apple Mail SMTP/TLS –RFC 3207 –Negotiates secure transport within SMTP (port 25) –Supported by some clients such as eudora 5.1 and Apple Mail The moral of the story is switch to a mac

9 9 Information Systems 7/1/03 Tom Coppeto Ports For Every Harbor SMTP (25) –Traditional standard for mail transport and submission –IETF standards include STARTTLS SMTPS (465) –Intended for SMTP over SSL –Revoked by the IETF –Some apps still use this SMTP/TLS (587) –“submission” (MSA) port –Deprecated in favor of 25 ISP’s block 25 so this doesn’t solve the roaming problem and ISP’s don’t allow you to maintain your own identity “It may be that the SMTP transport will self-destruct by failing to provide connectivity sufficient to be useful” –Bob Frankston

10 10 Information Systems 7/1/03 Tom Coppeto Our Goals Secure transport for all MSA transactions Require authentication Support popular applications such as –Outlook –Eudora –Entourage –Apple Mail –Netscape MIT users to be able to roam about Interland without: –Loss of identity –Difficult reconfiguration –Special network setups

11 11 Information Systems 7/1/03 Tom Coppeto Our Solution Support SMTPS on 465 –This may whither away Support STARTTLS on 587 –STARTTLS is a current standard –587, although deprecated, is in widespread use as the MSA port –We won’t permit STARTTLS to negotiate insecure connections Deprecate port 25

12 12 Information Systems 7/1/03 Tom Coppeto Future Issues This area is a mess –Applications vary –Spammers & witch hunts for open relays –Changing standards –ISP filtering May get more sophisticated than a simple port filter –ISP not interested in you being able to easily switch providers We’ll see one of two things: –New protocols & ports –Greater dependence on web solutions

13 13 Information Systems 7/1/03 Tom Coppeto SMTP Authentication The MIT MSA supports Kerberos V5 for user authentication –A username/password may be tunneled within SSL and checked with the KDC –A Kerberos credential may be presented GSSAPI Only Eudora supports this –Not supporting certificates at this time The recommendation is to make the authentication method symmetric between mail download (imap) and mail submission

14 14 Information Systems 7/1/03 Tom Coppeto SMTP Authentication: Messages Received: from mit.edu (vw.mit.edu [18.18.18.18]) (authenticated bits=0) (User authenticated as tom@ATHENA.MIT.EDU) by melbourne-city-street.mit.edu (8.12.4/8.12.4) with ESMTP id h5UFAwaT002423 (version=TLSv1/SSLv3 cipher=DES-CBC3-SHA bits=168 verify=NOT) for ; Mon, 30 Jun 2003 11:10:58 -0400 (EDT)

15 15 Information Systems 7/1/03 Tom Coppeto SMTP Auth Configuration Example Apple Mail

16 16 Information Systems 7/1/03 Tom Coppeto SMTP Auth Configuration Example Eudora

17 17 Information Systems 7/1/03 Tom Coppeto Other Challenges Outgoing supports email addressed from *.mit.edu rather than mit.edu –Many alumni are using this to keep their @alum.mit.edu identity –We’ll have to do something here which may bring us back to the alum.mit.edu vs. mit.edu issue MTA’s masquerading as MSA’s –They should stop doing that Use of sendmail as an MSA –Where possible, users should use apps with a built-in MSA (as opposed to mh->sendmail) –Where possible, the MTA should be running on the client machine (eg. sendmail does direct delivery) –possible certificate based solution for the rest

18 18 Information Systems 7/1/03 Tom Coppeto SMTP Authentication: Next Steps Solidify recommended configurations for known applications Modify configurations to use a flavor of smtp authentication by default Make this the recommended solution for existing users –Now we have an answer for ISP problems Campaign to have MIT users upgraded by July 1, 2004

19 19 Information Systems 7/1/03 Tom Coppeto Viruses We are filtering several known viruses at the border –Looking for identifying signatures –CPU intensive Then came bugbear –No consistent signature to filter –Extension filtering (.scr,.pif,.exe) remain most effective known measure although we are being a bit more precise than this for now

20 20 Information Systems 7/1/03 Tom Coppeto Where Do We End Up? Content filtering for viruses has proven less effective The only measure we have left is to prevent the delivery of all executable programs We can be proactive in getting the word out Or, we can wait until a more advanced version of bugbear is released when we’ll be forced to implement this anyway Let’s get the word out

21 21 Information Systems 7/1/03 Tom Coppeto Conclusions Authentication is good Viruses are bad any questions?

Download ppt "1 Information Systems 7/1/03 Tom Coppeto MIT Mail System Security Issues 1 July 2003."

Similar presentations

Draft-lemonade-imap-submit-01.txt “Forward without Download” Allow IMAP client to include previously- received message (or parts) in or as new message.

Draft-lemonade-imap-submit-01.txt “Forward without Download” Allow IMAP client to include previously- received message (or parts) in or as new message.
Packet Analyzers, a Threat to Network Security. Agenda Introduction The background of packet analyzers LAN technologies & network protocols Communication.

Packet Analyzers, a Threat to Network Security. Agenda Introduction The background of packet analyzers LAN technologies & network protocols Communication.
© 2004, The Technology Firm WWW.THETECHFIRM.COM SSL Packet Decodes From Wikipedia, the free encyclopedia.  Secure Sockets Layer (SSL) is a cryptographic.

© 2004, The Technology Firm SSL Packet Decodes From Wikipedia, the free encyclopedia.  Secure Sockets Layer (SSL) is a cryptographic.
Information Networking Security and Assurance Lab National Chung Cheng University Guidelines on Electronic Mail Security

Information Networking Security and Assurance Lab National Chung Cheng University Guidelines on Electronic Mail Security
Electronic Commerce 2. Definition Ecommerce is the process of buying and selling products and services via distributed electronic media, usually the World.

Electronic Commerce 2. Definition Ecommerce is the process of buying and selling products and services via distributed electronic media, usually the World.
Exchange server 2003. Mail system Four components Mail user agent (MUA) to read and compose mail Mail transport agent (MTA) route messages Delivery agent.

Exchange server Mail system Four components Mail user agent (MUA) to read and compose mail Mail transport agent (MTA) route messages Delivery agent.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
Email Security Jonathan Calazan December 12, 2005.

Security Jonathan Calazan December 12, 2005.
TCP/IP - Security Perspective Upper Layers CS-431 Dick Steflik.

TCP/IP - Security Perspective Upper Layers CS-431 Dick Steflik.
 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.

 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.
Introduction to the Secure SMTP Server service. Secure SMTP server is a secure, reliable SMTP mail relay server for your outgoing mail. Secure SMTP service.

Introduction to the Secure SMTP Server service. Secure SMTP server is a secure, reliable SMTP mail relay server for your outgoing mail. Secure SMTP service.
Guide to Operating System Security Chapter 10 E-mail Security.

Guide to Operating System Security Chapter 10 Security.
POP Email Configuration Microsoft Outlook Express 6.x.

POP Configuration Microsoft Outlook Express 6.x.
E-mail-I CS-3505 Wb_e-mail-I.ppt. Email 4 The most useful feature of the internet 4 Lots of different email programs, but most of them can talk to each.

-I CS-3505 Wb_ -I.ppt. 4 The most useful feature of the internet 4 Lots of different programs, but most of them can talk to each.
POP Email Configuration Microsoft Outlook 2002. What is POP? Short for Post Office Protocol, a protocol used to retrieve e-mail from a mail server. Most.

POP Configuration Microsoft Outlook What is POP? Short for Post Office Protocol, a protocol used to retrieve from a mail server. Most.
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
1 Lecture 18: E-Mail Security issues specific to email security key management services –privacy –integrity/authentication –nonrepudiation/plausible deniability.

1 Lecture 18: Security issues specific to security key management services –privacy –integrity/authentication –nonrepudiation/plausible deniability.
1 Linux Networking and Security Chapter 3. 2 Configuring Client Services Configure DNS name resolution Configure dial-up network access using PPP Understand.

1 Linux Networking and Security Chapter 3. 2 Configuring Client Services Configure DNS name resolution Configure dial-up network access using PPP Understand.
Securing Your GroupWise ® System Morris Blackham Software Engineer Novell, Inc. Danita Zanrè Senior Consultant Caledonia.

Securing Your GroupWise ® System Morris Blackham Software Engineer Novell, Inc. Danita Zanrè Senior Consultant Caledonia.
11 SECURING INTERNET MESSAGING Chapter 9. Chapter 9: SECURING INTERNET MESSAGING2 CHAPTER OBJECTIVES  Explain basic concepts of Internet messaging. 

11 SECURING INTERNET MESSAGING Chapter 9. Chapter 9: SECURING INTERNET MESSAGING2 CHAPTER OBJECTIVES  Explain basic concepts of Internet messaging. 

Similar presentations

Ads by Google