1 information systems 7/1/03 tom coppeto mit mail system security issues 1 july 2003
TRANSCRIPT
![Page 1: 1 Information Systems 7/1/03 Tom Coppeto MIT Mail System Security Issues 1 July 2003](https://reader036.vdocument.in/reader036/viewer/2022062715/56649da05503460f94a8bf4d/html5/thumbnails/1.jpg)
1
Information Systems 7/1/03Tom Coppeto
MIT Mail System
Security Issues
1 July 2003
![Page 2: 1 Information Systems 7/1/03 Tom Coppeto MIT Mail System Security Issues 1 July 2003](https://reader036.vdocument.in/reader036/viewer/2022062715/56649da05503460f94a8bf4d/html5/thumbnails/2.jpg)
2
Information Systems 7/1/03Tom Coppeto
Agenda
• Introduction to the mail system
• Authentication
• Virus Filtering
![Page 3: 1 Information Systems 7/1/03 Tom Coppeto MIT Mail System Security Issues 1 July 2003](https://reader036.vdocument.in/reader036/viewer/2022062715/56649da05503460f94a8bf4d/html5/thumbnails/3.jpg)
3
Information Systems 7/1/03Tom Coppeto
The Mail System
Mailhub
Internet
MIT Users
DMZ(MX mit.edu)
Outgoing
Post Office
Other MITMailers
![Page 4: 1 Information Systems 7/1/03 Tom Coppeto MIT Mail System Security Issues 1 July 2003](https://reader036.vdocument.in/reader036/viewer/2022062715/56649da05503460f94a8bf4d/html5/thumbnails/4.jpg)
4
Information Systems 7/1/03Tom Coppeto
The Mail System Acronymified
MTA
InternetMTA
MUA/MSAMAA
MTA
MTA
MTA/MDA
Other MITMTA
MUA: MAIL USER AGENTMSA: MAIL SUBMISSION AGENTMTA: MAIL TRANSFER AGENTMDA: MAIL DELIVERY AGENTMAA: MAIL ACCESS AGENT
![Page 5: 1 Information Systems 7/1/03 Tom Coppeto MIT Mail System Security Issues 1 July 2003](https://reader036.vdocument.in/reader036/viewer/2022062715/56649da05503460f94a8bf4d/html5/thumbnails/5.jpg)
5
Information Systems 7/1/03Tom Coppeto
SMTP Authentication
• MIT mail relays abused by spammers• Outgoing is a quasi-open relay• Need to further tighten outgoing to stop
this• The answer is SMTP authentication
• Only authorized users should be allowed to be an MSA and all MTA’s should not permit open relaying
![Page 6: 1 Information Systems 7/1/03 Tom Coppeto MIT Mail System Security Issues 1 July 2003](https://reader036.vdocument.in/reader036/viewer/2022062715/56649da05503460f94a8bf4d/html5/thumbnails/6.jpg)
6
Information Systems 7/1/03Tom Coppeto
SMTP Authentication (2)
• Benefits:– Reduction in mail abuse– Protected transfer of email messages– Gets around ISP’s who filter normal smtp traffic
• Costs:– Additional complexity in configuration
• Though not much– Older applications will need updating– System->system mail will require more work
![Page 7: 1 Information Systems 7/1/03 Tom Coppeto MIT Mail System Security Issues 1 July 2003](https://reader036.vdocument.in/reader036/viewer/2022062715/56649da05503460f94a8bf4d/html5/thumbnails/7.jpg)
7
Information Systems 7/1/03Tom Coppeto
SMTP Authentication (3)
• Secure transport (encryption)
• Authentication
![Page 8: 1 Information Systems 7/1/03 Tom Coppeto MIT Mail System Security Issues 1 July 2003](https://reader036.vdocument.in/reader036/viewer/2022062715/56649da05503460f94a8bf4d/html5/thumbnails/8.jpg)
8
Information Systems 7/1/03Tom Coppeto
SMTP Secure Transport
• The great thing about standards is that there are so many to choose from
• SMTPS– Tunnels SMTP within secure transport (SSL)– Supported by some clients such as outlook,
entourage and Apple Mail• SMTP/TLS
– RFC 3207– Negotiates secure transport within SMTP (port
25)– Supported by some clients such as eudora 5.1
and Apple Mail• The moral of the story is switch to a mac
![Page 9: 1 Information Systems 7/1/03 Tom Coppeto MIT Mail System Security Issues 1 July 2003](https://reader036.vdocument.in/reader036/viewer/2022062715/56649da05503460f94a8bf4d/html5/thumbnails/9.jpg)
9
Information Systems 7/1/03Tom Coppeto
Ports For Every Harbor
• SMTP (25)– Traditional standard for mail transport and submission– IETF standards include STARTTLS
• SMTPS (465)– Intended for SMTP over SSL– Revoked by the IETF– Some apps still use this
• SMTP/TLS (587)– “submission” (MSA) port– Deprecated in favor of 25
• ISP’s block 25 so this doesn’t solve the roaming problem and ISP’s don’t allow you to maintain your own identity
• “It may be that the SMTP transport will self-destruct by failing to provide connectivity sufficient to be useful”– Bob Frankston
![Page 10: 1 Information Systems 7/1/03 Tom Coppeto MIT Mail System Security Issues 1 July 2003](https://reader036.vdocument.in/reader036/viewer/2022062715/56649da05503460f94a8bf4d/html5/thumbnails/10.jpg)
10
Information Systems 7/1/03Tom Coppeto
Our Goals
• Secure transport for all MSA transactions• Require authentication• Support popular applications such as
– Outlook – Eudora– Entourage– Apple Mail– Netscape
• MIT users to be able to roam about Interland without:– Loss of identity– Difficult reconfiguration– Special network setups
![Page 11: 1 Information Systems 7/1/03 Tom Coppeto MIT Mail System Security Issues 1 July 2003](https://reader036.vdocument.in/reader036/viewer/2022062715/56649da05503460f94a8bf4d/html5/thumbnails/11.jpg)
11
Information Systems 7/1/03Tom Coppeto
Our Solution
• Support SMTPS on 465– This may whither away
• Support STARTTLS on 587– STARTTLS is a current standard– 587, although deprecated, is in
widespread use as the MSA port– We won’t permit STARTTLS to negotiate
insecure connections• Deprecate port 25
![Page 12: 1 Information Systems 7/1/03 Tom Coppeto MIT Mail System Security Issues 1 July 2003](https://reader036.vdocument.in/reader036/viewer/2022062715/56649da05503460f94a8bf4d/html5/thumbnails/12.jpg)
12
Information Systems 7/1/03Tom Coppeto
Future Issues
• This area is a mess– Applications vary– Spammers & witch hunts for open relays– Changing standards– ISP filtering
• May get more sophisticated than a simple port filter
– ISP not interested in you being able to easily switch providers
• We’ll see one of two things:– New protocols & ports– Greater dependence on web solutions
![Page 13: 1 Information Systems 7/1/03 Tom Coppeto MIT Mail System Security Issues 1 July 2003](https://reader036.vdocument.in/reader036/viewer/2022062715/56649da05503460f94a8bf4d/html5/thumbnails/13.jpg)
13
Information Systems 7/1/03Tom Coppeto
SMTP Authentication
• The MIT MSA supports Kerberos V5 for user authentication– A username/password may be tunneled within
SSL and checked with the KDC– A Kerberos credential may be presented
• GSSAPI• Only Eudora supports this
– Not supporting certificates at this time
• The recommendation is to make the authentication method symmetric between mail download (imap) and mail submission
![Page 14: 1 Information Systems 7/1/03 Tom Coppeto MIT Mail System Security Issues 1 July 2003](https://reader036.vdocument.in/reader036/viewer/2022062715/56649da05503460f94a8bf4d/html5/thumbnails/14.jpg)
14
Information Systems 7/1/03Tom Coppeto
SMTP Authentication: Messages
Received: from mit.edu (vw.mit.edu [18.18.18.18])(authenticated bits=0) (User authenticated as [email protected]) by melbourne-city-street.mit.edu (8.12.4/8.12.4) with ESMTP id h5UFAwaT002423 (version=TLSv1/SSLv3 cipher=DES-CBC3-SHA bits=168 verify=NOT) for <[email protected]>; Mon, 30 Jun 2003 11:10:58 -0400 (EDT)
![Page 15: 1 Information Systems 7/1/03 Tom Coppeto MIT Mail System Security Issues 1 July 2003](https://reader036.vdocument.in/reader036/viewer/2022062715/56649da05503460f94a8bf4d/html5/thumbnails/15.jpg)
15
Information Systems 7/1/03Tom Coppeto
SMTP Auth Configuration Example
• Apple Mail
![Page 16: 1 Information Systems 7/1/03 Tom Coppeto MIT Mail System Security Issues 1 July 2003](https://reader036.vdocument.in/reader036/viewer/2022062715/56649da05503460f94a8bf4d/html5/thumbnails/16.jpg)
16
Information Systems 7/1/03Tom Coppeto
SMTP Auth Configuration Example
• Eudora
![Page 17: 1 Information Systems 7/1/03 Tom Coppeto MIT Mail System Security Issues 1 July 2003](https://reader036.vdocument.in/reader036/viewer/2022062715/56649da05503460f94a8bf4d/html5/thumbnails/17.jpg)
17
Information Systems 7/1/03Tom Coppeto
Other Challenges
• Outgoing supports email addressed from *.mit.edu rather than mit.edu– Many alumni are using this to keep their
@alum.mit.edu identity– We’ll have to do something here which may bring us
back to the alum.mit.edu vs. mit.edu issue• MTA’s masquerading as MSA’s
– They should stop doing that• Use of sendmail as an MSA
– Where possible, users should use apps with a built-in MSA (as opposed to mh->sendmail)
– Where possible, the MTA should be running on the client machine (eg. sendmail does direct delivery)
– possible certificate based solution for the rest
![Page 18: 1 Information Systems 7/1/03 Tom Coppeto MIT Mail System Security Issues 1 July 2003](https://reader036.vdocument.in/reader036/viewer/2022062715/56649da05503460f94a8bf4d/html5/thumbnails/18.jpg)
18
Information Systems 7/1/03Tom Coppeto
SMTP Authentication: Next Steps
• Solidify recommended configurations for known applications
• Modify configurations to use a flavor of smtp authentication by default
• Make this the recommended solution for existing users– Now we have an answer for ISP
problems• Campaign to have MIT users upgraded by
July 1, 2004
![Page 19: 1 Information Systems 7/1/03 Tom Coppeto MIT Mail System Security Issues 1 July 2003](https://reader036.vdocument.in/reader036/viewer/2022062715/56649da05503460f94a8bf4d/html5/thumbnails/19.jpg)
19
Information Systems 7/1/03Tom Coppeto
Viruses
• We are filtering several known viruses at the border– Looking for identifying signatures– CPU intensive
• Then came bugbear– No consistent signature to filter– Extension filtering (.scr, .pif, .exe)
remain most effective known measure although we are being a bit more precise than this for now
![Page 20: 1 Information Systems 7/1/03 Tom Coppeto MIT Mail System Security Issues 1 July 2003](https://reader036.vdocument.in/reader036/viewer/2022062715/56649da05503460f94a8bf4d/html5/thumbnails/20.jpg)
20
Information Systems 7/1/03Tom Coppeto
Where Do We End Up?
• Content filtering for viruses has proven less effective
• The only measure we have left is to prevent the delivery of all executable programs
• We can be proactive in getting the word out• Or, we can wait until a more advanced
version of bugbear is released when we’ll be forced to implement this anyway
• Let’s get the word out
![Page 21: 1 Information Systems 7/1/03 Tom Coppeto MIT Mail System Security Issues 1 July 2003](https://reader036.vdocument.in/reader036/viewer/2022062715/56649da05503460f94a8bf4d/html5/thumbnails/21.jpg)
21
Information Systems 7/1/03Tom Coppeto
Conclusions
• Authentication is good
• Viruses are bad
any questions?