520 likes | 701 Views
E-Mail Messaging Systems. Alokes Chattopadhyay. Overview. Email Basics What Makes Up An Email How Email Works What Are TCP/IP Ports Security Mail Messaging system at IIT- Kharagpur. Email Basics.
E N D
E-Mail Messaging Systems Alokes Chattopadhyay
Overview • Email Basics • What Makes Up An Email • How Email Works • What Are TCP/IP Ports • Security • Mail Messaging system at IIT- Kharagpur
Email Basics • What is an Email – an electronic message transmitted over a network from one user to another. • Can be as simple as a few lines of text, or include attachments such as pictures or documents. • Email made up 75% of network traffic soon after the introduction of the internet.
What Makes Up An Email • The Header • Who sent the email. • To whom the mail is sent. • When the email was sent. • The email subject. • The size of the email.
What Makes Up An Email • The Body • Contains the message. • May also contain an attachment. • Attachments • If not embedded within the body, attachments are sent along with the email.
How Email Works • Different Architectural Models exist for constructing computer systems. • Some models include: • Peer-Peer • Pipe and Filter • Implicit Invocation • Client-Server
How Email Works • The model that works best for email is the Client-Server model. • Clients carry out user interactions with the email server.
How Email Works (Flow) Organization One User Terminal User Terminal User Agent User Agent Mail Queue User Mailboxes OrganizationTwo Local MTA Local MTA Relay MTA Relay MTA
How Email WorksClients • Forms in which clients appear: • Application based - these are installed onto user’s machines and include Microsoft Outlook and the freely available Outlook Express and Eudora or Mozilla Thunderbird etc. • Web based - these appear in a web browser’s window and include Hotmail, Yahoo and Outlook web client.
How Email WorksClients • Clients vary greatly in functionality, but all provide a basic level of functionality that assists the user. • Basic functions include: • Ability to create new emails. • Display and store received emails. • Hold address lists of contacts, a calendar, journal and other extra functions that help organize the user’s working day. • The client is also configured with the account information and names or IP addresses of the email servers with which it will be communicating.
How Email WorksServers • An email server is typically a combination of processes running on a server with a large storage capacity – a list of users and rules, and the capability to receive, send and store emails and attachments. • These servers are designed to operate without constant user intervention. • Should process emails for months as sending, receiving and maintenance tasks are carried out at scheduled times. The client only has to connect to the email server when it sends and checks/receives new email. • Sometimes it may be permanently connected to the server to allow access to shared address books or calendar information – this is typical of a LAN-based email server.
How Email WorksServers • Most email servers conduct email services by running two separate processes on the same machine. • One process is the POP3 (Post Office protocol 3) server, which holds emails in a queue and delivers emails to the client when they are requested. • The other is the SMTP (simple mail transfer protocol) server that receives outgoing emails from clients and sends and receives email from other SMTP servers. • These two processes are linked by an internal mail delivery mechanism that moves mail between the POP3 and SMTP servers.
How Email Works Servers • When the client calls the email server to send or check for mail it connects to the server on certain TCP/IP ports: • SMTP on port 25 • POP3 on port 110 • IMAP on port 143
How Email WorksServers • Email systems come in various formats, but the most common rely on a single server that provides both POP3 and SMTP services. • Sometimes, in large organizations, these services are separated onto different servers.
What Are TCP/IP Ports • Most email servers run on a web server platform with email services installed. • Each server has one or more unique TCP/IP (transmission control protocol/internet protocol) addresses. • Attached to all TCP/IP addresses are many ports that range from 0 to 65,535. • TCP/IP uses ports to allocate different jobs to different services. The server will listen for a client or application to call it on a port and direct traffic from that port to the required service.
Sending an e-mail (cycle) • The client sends the e-mail to its configured outbound mail server. A DNS request is required to find the address of the mail server.
Sending an e-mail STEP -1 Please send this message to “someone@example.com”
Sending an e-mail STEP -2 • The mail server follows the intensive process to find the authoritative servers for “example.com”. Tell me the name servers for “example.com” Here are the name servers for “example.com”
Sending an e-mail • Step 3: Ask the “example.com” name server for the list of “Mail eXchangers (MX) for that domain. Tell me the MX’s for “example.com” The MXs are mx10.example.com and mx20.backmail.com
Sending an e-mail • Step 4: Select a Mail server and deliver the mail. Here is some mail for the “example.com” domain Mail accepted for delivery
user agent user agent SMTP Mail access protocol SMTP access protocol sender’s mail server receiver’smail server • SMTP: delivery/storage to receiver’s server • Mail access protocol: retrieval from server • POP: Post Office Protocol [RFC 1939] • authorization (agent <-->server) and download • IMAP: Internet Mail Access Protocol [RFC 1730] • more features (more complex) • manipulation of stored msgs on server • HTTP: Hotmail , Yahoo! Mail, etc.
SMTP Connection • User agent invoked with the –v flag, which is passed to the mail transport agent (Sendmail, in this case), • The MTA displays what is sent and received across the SMTP connection • Line begin with >>> are commands sent by the SMTP client • Line begin with 3-digit reply code are from SMTP server • The command is # sendmail –v alokes@gmail.com The SMTP commands used to send the mail: HELO, MAIL, RCPT, DATA and QUIT
SMTP commands • HELO - identifies sender • MAIL FROM – starts a mail transaction and identifies the mail originator • RCPT TO – identifies the individual recipient. There may me multiple RCPT TO commands • DATA – senders ready to transmit a series of lines of text, each end with \r\n. A line containing only a period `.` indicates of the end of data
Other SMTP commands • VRFY – confirm that name is a valid recipient • EXPN – expand an alias (group mail address) • TURN – switch role (sender receiver) • SOML – Send and Mail • NOOP – send back a positive reply code • RSET – abort current transaction
Basic commands of pop3 protocol • USER <name> Set username • PASS <password> Set password • STAT Check the status of the mailbox, typically retrieves number of messages • LIST [msg] List messages in the mailbox; Optional argument for message [msg] • RETR <msg> Retrieve message <msg> • DELE <msg> Delete message <msg> • QUIT Quit • NOOP No operation • RSET Reset • Optional Commands from RFC 1939 • TOP <msg> <n> Retrieve the top <n> lines of message <msg> • UIDL [msg] Retrieve unique id for [msg] • APOP <name> <digest> A more robust form of authentication than USER/PASS • Extension Command from RFC 2449 • CAPA Retrieve a list of capabilities supported by the POP3 server
Basic commands of imap IMAP offered very little functionality beyond that of POP. It is a robust mailbox access protocol. • NOOP Perform no operation • STARTTLS Establish confidentiality and integrity protection • AUTHENTICATE <type> Choose authentication method • LOGIN <user> <passwd> Login with username and password • LOGOUT Logout the current user • SELECT <mailbox> Select the desired mailbox to access • EXAMINE <mailbox> Same as SELECT except opens mailbox for read-only • CREATE <mailbox> Create a mailbox with the name <mailbox> • DELETE <mailbox> Delete selected mailbox • RENAME <mailbox> <newmailbox> Rename mailbox • SUBSCRIBE <mailbox> Subscribe to selected mailbox • UNSUBSCRIBE <mailbox> Unsubscribe from selected mailbox • LIST <reference> [pattern] List contents of current reference based on an optional pattern
Basic commands of imap • LSUB <reference> [pattern] List a set of mailboxes matching the pattern • STATUS <mailbox> <item> Show the status of specific items in the selected mailbox • APPEND <mailbox> [flags] <msg> Append a message to the selected mailbox • CHECK Perform a checkpoint on the currently selected mailbox • CLOSE Close the currently selected mailbox • EXPUNGE Expunge deleted messages from the mailbox • SEARCH <criteria> Search the mailbox based on certain criteria • FETCH <message> <item> Fetch the specified item from the selected message • STORE <message> <item> <newvalue> Update the selected item in a message • COPY <message> <mailbox> Copy a message to the provided mailbox • UID <command> [args] Perform an operation on a message based on its UID • CAPABILITY Query the server for its capabilities
Mail server security guideline • Securing the Mail Server Operating System • Patch and upgrade operating system • Remove or disable unnecessary services and applications • Configure operating system user authentication • Remove or disable unneeded default accounts and groups • Set account passwords appropriately (e.g., length, complexity) as per organization’s password policy • Configure servers to prevent password guessing • Install and configure other security mechanisms to strengthen authentication • Configure resource controls appropriately • Set access controls for files, directories, devices, and other resources
Mail server security guideline • Limit privileges for most system-related tools to authorized system administrators • Install and configure additional security controls not included in the operating system • Test operating system after initial install to determine vulnerabilities • Test operating system periodically to determine new vulnerabilities
BASIC steps of Securing Mail Servers and Content • Install the mail server software on a dedicated host • Apply any patches or upgrades to correct for known vulnerabilities • Create a dedicated physical disk or logical partition (separate from operating system and mail server application) for mailboxes, or host the mailboxes on a separate server • Remove or disable all services installed by the mail server application but not required (e.g., Web-based mail, FTP, remote administration) • Remove or disable all unneeded default login accounts created by the mail server installation • Remove all manufacturer documentation from the server • Remove any example or test files from the server • Apply appropriate security template or hardening script to the server • Reconfigure SMTP, POP, and IMAP service banners (and others as required) NOT to report mail server and operating system type and version (this may not be possible with all mail servers) • Disable dangerous or unnecessary mail commands (e.g., VRFY and EXPN
BASIC steps of Securing Mail Servers and Content • To mitigate the effects of certain types of DoS attacks, configure the mail server to limit the amount of operating system resources it can consume. • Installing users’ mailboxes on a different server (preferred), hard drive, or logical partition than the operating system and mail server application • Configuring the mail server application so that it cannot consume all available space on its hard drives or partitions • Limiting the size of attachments that are allowed • Ensuring log files are stored in a location that is sized appropriately.
Securing mail server • Protecting Email from Malware • Email messages are sent with attachments such as program executables, pictures, music, and sounds. • Many forms of malware, including viruses, worms, Trojan horses, and spyware—malware intended to violate a user’s privacy—are often transmitted in attachments. • Attackers are using email to deliver zero-day attacks at targeted organizations before these vulnerabilities are known publicly • These attacks are often targeted at office productivity software and give the attacker control over users’ workstations. This control can be exploited to escalate privileges, gain access to sensitive information, monitor users’ actions (e.g., keystrokes), and perform other malicious actions
Preventive measure • Malware Scanning • Scanning at the Firewall, Mail Relay, or Mail Gateway Appliance Malware Scanning Implemented on Firewall
Preventive measure • The benefits of scanning email at the firewall, mail relay, or mail gateway appliance are as follows: • Can scan email in both directions (inbound and outbound from the organization’s network) • Can stop the majority of messages containing malware at the perimeter before they enter the network and are passed to the mail server • Can implement scanning for inbound email with minor changes to the existing mail server configuration • Can reduce the amount of email reaching the mail servers, allowing them to operate more efficiently with lower operational costs • Can reduce the amount of scanning to be performed by the mail servers, thus reducing their load • Can centrally manage scanning to ensure compliance with the organization’s security policy and regular application of updated malicious code signatures • For some mail firewall appliances, can provide secure authenticated access to Web-based mail applications.
Preventive measure • Scanning for malware at the firewall, mail relay, or mail gateway appliance has a number of weaknesses: • Can require significant modification of the existing mail server configuration when scanning mail in the outbound direction • Cannot scan encrypted emails • Offers no protection to internal users once malware is on the organization’s internal network, unless the network is configured so that SMTP traffic gets routed through a dedicated scanner before reaching the mail server • May require powerful (expensive) servers or appliances to handle the load of a large organization.
Preventive measure • Scanning on the Mail Server Itself Malware Scanning Implemented on Mail Server
Preventive measure • Can scan email in both directions (inbound and outbound) • Can be centrally managed to ensure compliance with the organization’s security policy and that updates are applied regularly • Offers protection to internal users once malware is on the organization’s internal network. • Scanning for malware at the mail server has a number of weaknesses: • Cannot scan encrypted emails • May require more powerful (expensive) servers to handle the load of a large organization. • Can detect only those threats that have been identified; offers little protection against zero-day exploits
Preventive measure • When considering mail server-based malware scanners, look for the following qualities: • Detects and cleans all types of malware typically carried by email (e.g., viruses, worms, Trojan horses, malicious mobile code, spyware) • Provides heuristic scanning (provides some protection from new and unknown malware) • Provides content filtering • Incorporates mechanisms to help prevent email from circumventing the system • Provides ease of management • Provides automated downloading and installation of updates • Provides frequent updates (critical) • Can identify and apply rules to different types of content • Provides a robust and configurable alert mechanism • Provides detailed logging capabilities
Preventive measure • Scanning on Client Hosts Malware Scanning Implemented on User Workstations
Preventive measure • The benefits of client-side malware scanning are as follows: • Does not require any modification to the mail server • Can scan encrypted emails when they are decrypted by the user • Distributes malware scanning and thus minimizes the impact of scanning on any one host • Offers protection to internal users, even when malware is received from an internal user • The disadvantages of client-side malware scanning are as follows: • Can be difficult to centrally manage, especially for mobile client hosts (e.g., laptops) • Can take time before users update malware scanners, resulting in the organization being more susceptible to an outbreak • Can be intentionally or accidentally disabled or weakened by users • Can detect only those threats that have been identified; offers little protection against zero-day exploits
Preventive measure • Content Filtering • Content filtering works in a similar manner to malware scanning at the firewall or mail server except that it is looking for emails containing undesirable content other than malware, such as spam or emails containing inappropriate language • For maximum effectiveness, content filtering should be performed on all incoming and outgoing messages and conducted in the same locations as malware scanning—on the firewall/mail relay/mail gateway, mail servers, and end users’ hosts
Preventive measure • Email that contains suspicious active content (e.g., ActiveX, JavaScript) is stripped of the active code and forwarded to the recipient. • Spam email and phishing attempts may be deleted or tagged as suspicious. • Extra-large files might be held for delivery during off-peak hours. • Organizations should also take steps to prevent email address spoofing, such as ensuring that external users cannot send emails to internal users that have one of the organization’s email addresses as the spoofed sender. • Another effective way to decrease the number of unwanted messages reaching mail servers is using Lightweight Directory Access Protocol (LDAP) lookup on a mail gateway or firewall as a filtering mechanism.
Preventive measure • Many Internet service providers (ISP) and third-party companies offer malware scanning and content filtering services, including spam filtering. • Disadvantages of using such a service include the following: • Privacy. All of the organization’s incoming email is routed through the service provider’s servers and scanned by them. • False Positives. The service provider’s filtering solution might automatically delete emails tagged as spam or might not provide a way for administrators to check the validity of email tagging. • Availability. If the service becomes unavailable, the organization should be able to change the routing of email to prevent delays in mail delivery.
User awareness • Never open attachments from unknown senders. • Never open attachments with suspicious or potentially harmful names or file extensions (e.g., attachment.vbs, attachment.exe) from known or unknown senders. • Be suspicious of emails from known senders in which the subject line or content appears to be inappropriate for the existing relationship (e.g., an email with the subject “I love you” from a professional colleague) or generic subjects (e.g., “Look at this, it’s interesting”). • Scan all attachments with malware scanning software before opening, preferably by configuring the scanning software to automatically perform this task. • Update the signature database of the malware scanning software at least on a daily basis or when there is a malware outbreak. • Warn users about malware outbreaks and how to identify emails that might contain malware.
User awareness Users should also be aware of the dangers of phishing attacks and how to avoid them • Do not reply to email messages or popup ads asking for personal or financial information. • Do not trust phone numbers in emails or popup ads. Voice over IP technology can be used to register a phone with any area code. • Do not email personal or financial information. • Review credit card and bank account statements regularly. • Be cautious about accessing un-trusted Web sites, because some Web browser vulnerabilities can be exploited simply by visiting a site. Users should also be cautious about opening any attachment or downloading any file from un-trusted emails or Web sites.
User awareness • Ensure that spam cannot be sent from the mail servers they control • Implement spam filtering for inbound messages • Block messages from known spam-sending servers • These lists are often referred to as open relay blacklists (ORB) or DNS blacklists (DNSBL). • Authenticate mail relay • User authentication [SMTP AUTH] • Secure access [SSL, TLS]
mail messaging software deployed at iit-kgp • Trend Micro • Zimbra collaborative suite (ZCS)