SMTP STS (Strict Transport Security) vs. SMTP with DANE

© Men & Mice http://menandmice.com
email transport security
MTA-STS vs. DANE
1

© Men & Mice http://menandmice.com  
© ISC http://www.isc.org
Agenda
1. Recap: the problem with Mail Transport Security
2. SMTP MTA Strict Transport Security (MTA-STS)
3. SMTP Security via Opportunistic DNS-Based
Authentication of Named Entities (DANE)
Transport Layer Security (TLS)
4. SMTP TLS Reporting
2

the problem with email
transport security
3

Short recap
we've discussed email transport security before
see previous Webinar – "DNSSEC & DANE – E-Mail
security reloaded" (link below) for details
so here just a short recap …
4
https://www.menandmice.com/resources/webinar-dnssec-and-dane-e-mail-security/

Transport Encryption
Example of a protocol (HTTP/HTTPS) using a
dedicated port und URI for encrypted
communication
5
Port 80 - unencrypted
Port 443 - encrypted

Transport Encryption
SMTP (email) uses in-protocol signalling to
bootstrap encryption. The signalling is unsecured
and can be intercepted
6
Port 25 - unencrypted
Greeting - unencrypted
Greeting - unencrypted
Feature-List - unencrypted
Request encryption - unencrypted
Greeting - encrypted

STARTTLS interception
7
https://www.eff.org/de/deeplinks/2014/11/starttls-downgrade-attacks
https://arstechnica.com/security/2015/10/dont-count-on-starttls-to-automatically-encrypt-your-sensitive-e-mails/
https://blog.filippo.io/the-sad-state-of-smtp-encryption/

STARTTLS weakness
the core problem:
the receiving side cannot communicate its encryption
policy
the sending side cannot infer the encryption policy, it
need to guess
solutions available/worked on in the IETF:
SMTP MTA Strict Transport Security (MTA-STS)
SMTP with DANE (MTA-DANE)
8

SMTP MTA Strict Transport
Security (MTA-STS)
draft-ietf-uta-mta-sts
9

MTA-STS
MTA-STS  
(Message-Transfer-Agent Strict-Transport-Security)
a mail receiving domain publishes its encryption
policy
•via a TXT record in DNS
•plus a JSON document on an TLS secured web-server
10
draft-ietf-uta-mta-sts
https://tools.ietf.org/html/draft-ietf-uta-mta-sts

MTA-STS for "example.com"
the administrator of the domain "example.com" will
publish a TXT-record
at the "well-known" sub-domain "_mta-sts"
containing the version number of this domains mail-
transport encryption policy
use of DNSSEC is recommended
11
_mta-sts.example.com. 900 IN TXT "v=STSv1; id=20170411;"
MTA-STS
version
encryption
policy
version

the administrator of the domain "example.com" will
also
publish a JSON document
at the "well-known" sub-domain "mta-sts" and the
path ".well-known/mta-sts.json"
12
https://mta-sts.example.com/.well-known/mta-sts.json
TLS secured
path to
JSON
document
mta-sts
domain

example content of the JSON document
13
{
"version": "STSv1",
"mode": "enforce",
"mx": [".mail.example.com"],
"max_age": 123456
}
MTA-STS
version
"enforce" or
"report"
Common Name
or Subject
Alternative Name
DNS-ID present in
the X.509
certificate
presented by any
MX receiving mail
for this domain
max
lifetime of
the policy

MTA-STS
14
sending
MTA
sending
MUA
DNS(SEC)
resolver
auth
DNS
receiving
MTA
policy
webserver
sendingdomain
receivingdomain
Internet

MTA-STS
15
sending
MTA
sending
MUA
DNS(SEC)
resolver
auth
DNS
receiving
MTA
policy
webserver
mail
delivered to
MTA

MTA-STS
16
sending
MTA
sending
MUA
DNS(SEC)
resolver
auth
DNS
receiving
MTA
policy
webserver
checks
policy
cache

MTA-STS
17
sending
MTA
sending
MUA
DNS(SEC)
resolver
auth
DNS
receiving
MTA
policy
webserver
request
mta-sts TXT
record in
DNS
_mta-sts.example.com. TXT ?
_mta-sts.example.com. 900 IN TXT "v=STSv1; id=20170411;"

MTA-STS
18
sending
MTA
sending
MUA
DNS(SEC)
resolver
auth
DNS
receiving
MTA
policy
webserver
request
JSON policy
from web
server
https://mta-sts.example.com/.well-known/mta-sts.json
verify TLS
x509
security
store policy
in cache

MTA-STS
19
sending
MTA
sending
MUA
DNS(SEC)
resolver
auth
DNS
receiving
MTA
policy
webserver
STARTTLS
SMTP
session
validate x509
certificate
against policy

MTA-STS
20
sending
MTA
sending
MUA
DNS(SEC)
resolver
auth
DNS
receiving
MTA
policy
webserver
deliver mail

SMTP Security via Opportunistic DNS-
Based Authentication of Named Entities
(DANE) Transport Layer Security (TLS)
RFC 7672
21

MTA-DANE
SMTP with DANE signals the encryption policy of a
mail-server via DNSSEC secured DNS
the TLSA record holds the full certificate (or a hash
of the certificate) which can be verified against the
certificate presented by the receiving mail server
MTA-DANE is standardised in RFC 7672 (Oct 2015)
22

MTA-DANE
23
sending
MTA
sending
MUA
DNSSEC
resolver
auth
DNS
receiving
MTA
mail
delivered to
MTA

MTA-DANE
24
sending
MTA
sending
MUA
DNSSEC
resolver
auth
DNS
receiving
MTA
MTA
requests
TLSA record
_25._tcp.mail01.example.com. TLSA
_25._tcp.mail01.example.com. TLSA 3 1 1 ( 
BDC6A9F8312BF24C81D[..]387A147 )
validate
DNSSEC
chain of
trust

MTA-DANE
25
sending
MTA
sending
MUA
DNS(SEC)
resolver
auth
DNS
receiving
MTA
STARTTLS
SMTP
session
validate x509
certificate
against TLSA
cert/hash

MTA-DANE
26
sending
MTA
sending
MUA
DNS(SEC)
resolver
auth
DNS
receiving
MTA
deliver mail

DANE success stories
Cloudmark will support
MTA-DANE in the
upcoming release 5.2
Cloudmark has about
12% global market share
(20% of mobile
accounts) in the email
business
27
https://blog.cloudmark.com/2017/03/27/dane-and-email-security/

large German mail
service provider
(web.de/gmx.de/1&1)
support MTA-DANE
over 50% market  
share in Germany
28
https://de.slideshare.net/GMX_Deutschland/e-mailstudie-2015-deutsche-anbieter-bevorzugt
https://www.heise.de/newsticker/meldung/Abhoersicherheit-Web-de-sichert-Mail-Transport-zusaetzlich-per-DANE-ab-3175333.html

the Dutch government
requests MTA-DANE
from government
agencies
29
https://www.ncsc.nl/english/current-topics/news/ncsc-publishes-factsheet-secure-the-connections-of-mail-servers.html

German "Federal Office
for Information Security"
requires MTA-DANE for
"secure e-mail"
certification
30
https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/TechnischeRichtlinien/TR03108/TR03108-1.pdf

Comparing  
MTA-STS vs. MTA-DANE
31

MTA-STS does not require DNSSEC (but it is
recommended)
MTA-STS defines a policy cache
MTA-STS requires x509 certificates that validate against a
root-CA-certificate (no "self-signed" certs)
MTA-STS requires a HTTPS server to serve the policy
JSON document
MTA-STS requires validation of the HTTPS connection to
fetch the policy document
32

MTA-DANE does require DNSSEC
MTA-DANE has no policy cache (but the TTL on TLSA
records can work as such)
MTA-DANE allows "self-signed" certificates
MTA-DANE policy can be changed by switching the TLSA-
record in DNS
MTA-DANE TLS-cert rollover need to be in sync with TLSA
record(s)
MTA-DANE relies on the trust on the DNSSEC chain
33

SMTP TLS Reporting
draft-ietf-uta-smtp-tlsrpt
34

SMTP TLS reporting
SMTP TLS reporting defines a protocol to signal a reporting channel about SMTP
encryption failures
the sending MTA can report issues with TLS encryption to the receiving MTA
operator
SMTP TLS reporting can be used with MTA-STS and MTA-DANE
Reports include:
•MITM attacks (certification mismatch)
•expired certificates
•server not answering
•certificate not validating against Root-CA
•…
35
https://tools.ietf.org/html/draft-ietf-uta-smtp-tlsrpt

SMTP TLS reporting
the administrator of a mail domain publishes the
reporting policy as a TXT-record in DNS
using the "well-known" subdomain "_smtp-tlsrpt"
inside the mail domain
Example (SMTP-Report): 
 
 
Example (HTTP-Report):
36
_smtp-tlsrpt.example.com. IN TXT
"v=TLSRPTv1;rua=mailto:reports@example.com"
_smtp-tlsrpt.example.com. IN TXT "v=TLSRPTv1;
rua=https://reporting.example.com/v1/tlsrpt"

SMTP TLS reporting
37
sending
MTA
sending
MUA
DNS(SEC)
resolver
auth
DNS
receiving
MTA
STARTTLS
SMTP
session
x509 certificate
fails to validate
against TLSA
cert/hash

SMTP TLS reporting
38
sending
MTA
sending
MUA
DNS(SEC)
resolver
auth
DNS
receiving
MTA
MTA requests
_smtp-tlsrpt TXT
record
_smtp-tlsrpt.example.com. TXT
_smtp-tlsrpt.example.com. IN TXT
"v=TLSRPTv1;rua=mailto:reports@example.com"

SMTP TLS reporting
39
sending
MTA
sending
MUA
DNS(SEC)
resolver
auth
DNS
receiving
MTA
deliver
report mail

SMTP TLS reporting
Example JSON-Report
40
{
"organization-name": "Company-X",
"date-range": {
"start-datetime": "2016-04-01T00:00:00Z", "end-datetime": "2016-04-01T23:59:59Z"
},
"contact-info": "sts-reporting@company-x.com", "report-id": "5065427c-23d3-47ca-b6e0-946ea0e8c4be",
"policy": {
"policy-type": "sts",
"policy-string": "{ "version": "STSv1","mode": "report", "mx": ["*.example.com"], "max_age": 86400 }",
"policy-domain": "company-y.com", "mx-host": "*.mail.company-y.com"
},
"summary": {
"success-aggregate": 5326, "failure-aggregate": 303
}
"failure-details": [{
"result-type": "certificate-expired", "sending-mta-ip": "98.136.216.25",
"receiving-mx-hostname": "mx1.mail.company-y.com", "session-count": 100
}, {
"result-type": "starttls-not-supported", "sending-mta-ip": "98.22.33.99",
"receiving-mx-hostname": "mx2.mail.company-y.com", "session-count": 200,
"additional-information": "hxxps://reports.company-x.com/report_info?id=5065427c-23d3#StarttlsNotSupported"
}]
}
reporting
company
report time-
range  
(24 hours)
contact
information
used policy
report
summary
failure
details

Next
41

Men & Mice DNS Training
•Introduction to DNS & BIND Hands-On Class
•September 18 – 20, 2017 (Zurich, Switzerland)
42
https://www.menandmice.com/training/

•Introduction & Advanced DNS and BIND Topics
Hands-On Class
•September 18 – 22, 2017 (Zurich, Switzerland)
43
https://www.menandmice.com/training/

•DNS & BIND (German Language)
•May 22 – 24, 2017, Essen, DE
•DNSSEC and DANE (German Language)
•December 4-12, 2017, Essen, DE
44
http://linuxhotel.de/

our next webinar  
Certification Authority Authorization Record
The CAA Record (Certification Authority Authorization) is used to signal
which certification authority (CA) is allowed to issue x509 certificates for
a given domain. CAA creates a DNS mechanism that enables domain
name owners to whitelist CAs that are allowed to issue certificates for
their hostnames.
Starting from September 2017, certificate issuing CA must support the
CAA record.
We will explain the CAA record, how it works, how to enter CAA into a
zone and how certification authorities are about to use the record.
Join us for a 45 minutes webinar with a Q&A session at the end, on
Thursday, May 18th, 2017 at 5:00 PM CEST/ 3:00 PM GMT/ 11:00 AM
EDT / 8:00 AM PDT.
45

Thank you!
Questions? Comments?
46

SMTP STS (Strict Transport Security) vs. SMTP with DANE

More Related Content

Similar to SMTP STS (Strict Transport Security) vs. SMTP with DANE (20)

More from Men and Mice (20)

Recently uploaded (20)

SMTP STS (Strict Transport Security) vs. SMTP with DANE