email best practices - github pagesafnog.github.io/sse/postfix/email_best_practices.pdf ·...
TRANSCRIPT
EmailBestPracticesKevinChege
Whyyouremailsetupiscritical
• BillionsofSPAMemailsaregeneratedeveryday• ThetipsherecanhelpyoutoreducedthechancesofyoureceivingSPAMemailorinadvertentlybeingthesourceofSPAMemails• Becauseemailissoefficient,itsnowusedtosendmalware,ransomware,wormsetc.• Forexample:WannaCrypt!
SPF
• SPF– SenderPolicyFramework• SPFallowsadministratorstospecifywhichhostsareallowedtosendmailfromagivendomainbycreatingaspecificSPFrecord(orTXTrecord)intheDomainNameSystem(DNS).
• @INTXT“v=spf1include:gmail.com ip4:1.2.3.4mx -all”• TheabovewillonlyallowmailfromIP1.2.3.4andanyserverinthedomainwithanMXrecord• Ifnotsureuseagenerationtoolonline
• http://www.mtgsy.net/dns/spfwizard.php
DomainKeysIdentifiedMail(DKIM)• DKIM(DomainKeys IdentifiedMail)isanauthenticationmechanismtohelpprotectbothemailreceiversandemailsendersfromforgedandphishingemail.• Itisintendedtopreventforgedsenderaddressesinemails,atechniqueoftenusedinphishingandemailspam.• DKIMallowsthereceivertocheckthatanemailclaimedtocomefromaspecificdomainwasindeedauthorizedbytheownerofthatdomainwhichisdoneusingcryptographicauthentication.• Verificationiscarriedoutusingthesigner'spublickeypublishedintheDNS.Avalidsignatureguaranteesthatsomepartsoftheemail(possiblyincludingattachments)havenotbeenmodifiedsincethesignaturewasaffixed
DMARC-• whichstandsfor“Domain-basedMessageAuthentication,Reporting&Conformance• ItbuildsonthewidelydeployedSPF and DKIM protocols,addinglinkagetotheauthor(“From:”)domainname,publishedpoliciesforrecipienthandlingofauthenticationfailures• AnotherIETFstandarddesignedtocombatgrowingspam• Moreathttp://dmarc.org
WhyisDMARCimportant
• AllowsDomainownersto:• Signalthattheyareusingemailauthentication(SPF,DKIM)• Provideanemailaddresstogatherfeedbackaboutmessagesusingtheirdomain–legitimateornot
• Apolicytoapplytomessagesthatfailauthentication(report,quarantine,reject)
• AllowEmailreceiversto:• Becertainagivensendingdomainisusingemailauthentication• ConsistentlyevaluateSPFandDKIMalongwithwhattheenduserseesintheirinbox• Determinethedomainowner’spreference(report,quarantineorreject)formessagesthatdonotpassauthenticationchecks
• Providethedomainownerwithfeedbackaboutmessagesusingtheirdomain
DMARCFlowChart
https://dmarc.org/overview/
SPF,DKIMandDMARC
• AllpublishedinDNS!• SPFsample:$digTXTfacebook.com“v=spf1redirect=_spf.facebook.com”
• DKIMsample:$diggoogle._domainkey.protodave.com TXTgoogle._domainkey.protodave.com.3600INTXT "v=DKIM1\;k=rsa\;p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAhArxYH88+A76Gk7/8ENefN5RhMFhoYJp8T3KLPYYpejDI45PKWTO+2r8ZJZOtuk7tsG07bmJyU8PFvU48Lf1xtb4WcFxKKjd7N5MF6JcHD51Xb8XDAJA2ldqxH4hBbw9dRjsT7WBFXbp2x6MSWxgi9f1w+7Z2IFG+AtUjrf8/9N3gLieaZKZT1SEhR8TnhfOm""FG0LfMyS0YtfHKrkUkBCEmWBPisB2CcZBShKr6/T8/UB/oZF8XMRd0NOsru9MGx9Yp89jIYS5YRuvbA0/TLgOOiqrSU5Ms1egMwfFyy4BMDUKayZzF6BxNPc/+UoFrYHKRZpyD/kEd4FXNEddlksQIDAQAB”
• DMARCsample:digTXT_dmarc.google.com"v=DMARC1;p=reject;pct=100;rua=mailto:[email protected]”
ReverseRecords
• Havereverserecords(PTR)foryourmailserversothatitisresolveable fromtheIP• Mandatorybymostserversthesedays• Usedtoverifyauthenticityofthesendingmailserver• TheIPAddressmustresolvebacktothemailservername• Youcanhavemultiplereverserecords• YoucanhaveanSPFrecordthatstatesthatanyIPthathasareverserecordcansendemailfromyourdomain• INTXT“v=spf1ptr:domain.co.tz ip4:1.2.3.4mx -all”
UseAntiSpamandAntiVirussoftware
• Willreduceoverallspamandemailreceived• Youcanalsohaveamail“firewall”orgatewayakaMailFiltertostopspambeforeitreachesyourserver• Somesoftwares are:
• SpamAssassin (AntiSpam)– renownedantivirus• ClamAV (AntiVirus)– renownedantivirus• MailScanner andAmavisd (relyontheabove)
• WhensetuptryapenetrationtestingsitetoseehowwellyourservercanprotectyoufromSPAMandViruses
GreyListing
• Validmailserverswillhavenoproblemifthereceivinggivesasofterror(4xx)• Theywillattempttosendthemailagainaftersometime• Greylisting configuredonareceivingmailserverwillgiveasofterror(4xx)tothesendingserverandstoretheIP/Hostnameofthesendingserverinafile• Ifthesendingserverreturnsagainaftersometime(canbespecifiedusually5min)theemailisaccepted• Usedasameasuretodenymailfrombotsthatarecompromisedtosendmassmail.Theyoftendonottryagainiftheserverdidnotacceptthemail
Acceptonlywellformattedmessages
• SendermustbeavalidnamenotanIPie [email protected]• MailserverHELOnamemustberesolvableie FQDN• Serveridentificationmustresolveie HELO/EHLOnamemustberesolveable• Emailshouldbefromavalidemailaddressformateg:[email protected]@example
Security
• RunsecurepagesfromthemailserverandsecureSMTPtoclients• SecureWebmail– port443• SecureSMTP– port465/587
• ForceclientstousesecureIMAPorSecurePOP• SecurePOP– port995• SecureIMAP– port993
• RequireauthenticationonyourmailserverbeforeamailentersthequeuefromasendingclientakaSMTPAUTH• Lockdownyourboxandblockallunnecessaryports
UseBlacklistdatabases
• UseDNSBL– DNSBasedBlackholeListsorRBL(RealTimeBlackholelists)todenymailfromwellknownspammingmachines• Somewellknowngoodonesare
• SORBS– http://sorbs.net• SPAMHAUS– http://spamhaus.org• SPAMCOP– http://spamcop.net• MANITU– http://manitu.net
RequirestrongPasswords
• Adviseuserstousestrongpasswordsorpassphrasesfortheiremail• Alphanumericpasswordsarebetterthannormalpasswordsiecombineletterswithnumbers• Passphrasesareevenbetter,moredifficulttobreak
BackupandRedundancy
• HavemultipleMXrecordssothatyourserverisnottheonlyoneabletoreceivemailforyou• Backupyourmail,usetoolslikeRsync tocopymailtoanotherserverasoftenasyoucan• EnsureyourDNSrecords(MX,NSetc)arecorrectandtestthemwhenyoucompleteyousetup• Useonlinetestslike
• http://intodns.net
ThequestionofEthics
• Asanemailadministrator,itseasytoviewotherpeople’semailatanytimewithadminrights• Emailsareintendedbythesenderfortherecipient(s)andmanysendersareoblivioustothefactthattheiremailcanbeinterceptedalongtheway• HencetheneedforencryptionJ
• Asanemailadministrator,youshouldbebeprofessionalandmaintainethicsandetiquetteJ
References
• Wikipedia• http://www.linuxmagic.com/best_practices• Furtherreading:
• DMARC:https://dmarc.org/• https://en.wikipedia.org/wiki/DMARC
• SpamAssassin - http://spamassassin.apache.org/• ClamAV - https://www.clamav.net/• AmavisD - https://www.ijs.si/software/amavisd/• https://protodave.com/security/checking-your-dkim-dns-record/