DANE Secured E-Mail Demonstration. Wes Hardaker Parsons <wes.hardaker@parsons.com>

Similar documents
DANE for SMTP. Viktor Dukhovni & Wes Hardaker. IETF 87, Berlin July 2013

Introduction to the DANE Protocol

DNSSEC - Why Network Operators Should Care And How To Accelerate Deployment

Deploying DNSSEC: From End-Customer To Content

One year of DANE Tales and Lessons Learned. sys4.de

Next Steps In Accelerating DNSSEC Deployment

Apache Security with SSL Using Ubuntu

State of the "DNS privacy" project. Stéphane Bortzmeyer AFNIC

OpenSRS Service DNS Configuration Guide

Mail agents. Introduction to Internet Mail. Message format (2) Authenticating senders

Set up Outlook for your new student e mail with IMAP/POP3 settings

DNS and BIND. David White

Set Up Setup with Microsoft Outlook 2007 using POP3

DNSSEC Applying cryptography to the Domain Name System

How to configure your client

The basic groups of components are described below. Fig X- 1 shows the relationship between components on a network.

Networking Domain Name System

Internet Standards. Sam Silberman, Constant Contact

Internet-Praktikum I Lab 3: DNS

DNS and Internet Mail Service Architecture. Joe Abley

Open Thunderbird. To set up an account in Thunderbird, from the Tools menu select Account Settings; choose account; then click Next.

Instructions Microsoft Outlook Express Page 1

IOS 8: Configure IMAP/POP/SMTP

CS615 - Aspects of System Administration

Part 5 DNS Security. SAST01 An Introduction to Information Security Martin Hell Department of Electrical and Information Technology

DANE/DNSSEC/TLS Tes-ng in the Go6lab. Jan Žorž, ISOC/Go6 Ins-tute, Slovenia

Use Domain Name System and IP Version 6

Copyright

DNS SECURITY TROUBLESHOOTING GUIDE

How to Pop to Outlook

Securing DNS Infrastructure Using DNSSEC

Configuring an External Domain

Client configuration and migration Guide Setting up Thunderbird 3.1

HGC SUPERHUB HOSTED EXCHANGE

Division of Information Technology Lehman College CUNY

Traveling Setup Microsoft Office

How to Set Up Your. Account

Using TLS Encryption with Microsoft Outlook 2007

Encryption. Administrator Guide

Patriots Outlook Configuration

Traveling Setup Outlook Express

Cisco EXAM Implementing Cisco IP Telephony and Video, Part 2 (CIPTV2) Buy Full Product.

Toll Free: International:

CS 356 Lecture 27 Internet Security Protocols. Spring 2013

SSL Protect your users, start with yourself

Configuration Manual for Lime Domains

IRMACS Setup. Your IRMACS is available internally by the IMAP protocol. The server settings used are:

A Step-by-Step guide for implementing DANE with a Proof of Concept

Update Instructions

Knights Outlook 2013 Configuration

Update Instructions

Internet Security [1] VU Engin Kirda

The Domain Name System from a security point of view

Domain Name System Security

Knights Outlook Configuration

Securing End-to-End Internet communications using DANE protocol

Unifying Information Security. Implementing TLS on the CLEARSWIFT SECURE Gateway

1. Open the preferences screen by opening the Mail menu and selecting Preferences...

Configuring Outlook to send mail via your Exchange mailbox using an alternative address

A quick overview of the DANE WG. * DNS-based Authentication of Named Entities

Analyzing DANE's Response to Known DNSsec Vulnerabilities

Outlook Express. Make Changes in Red: Open up Outlook Express. From the Menu Bar. Tools to Accounts - Click on Mail Tab.

Instructions Android Smartphone & Tablet Page 1

ftld Registry Services Security Requirements December 2014

Domain Name System WWW. Application Layer. Mahalingam Ramkumar Mississippi State University, MS. September 15, 2014.

Configuring on Android Devices

DNSSEC. Introduction. Domain Name System Security Extensions. AFNIC s Issue Papers. 1 - Organisation and operation of the DNS

Using WinGate 6 . Concepts, Features, and Configurations.

How to use ArGoSoft Mail Server.NET Freeware

FAQ (Frequently Asked Questions)

DNS. Computer networks - Administration 1DV202. fredag 30 mars 12

Implementing Microsoft Exchange Mail on Demand

TLS and SRTP for Skype Connect. Technical Datasheet

How To Create A Mailbox In Windows Mail On A Pc Or Mac Or Ipad (For A Mac)

How to Configure the Windows DNS Server

Networking Domain Name System

IMAP and SMTP Setup in Clients

Telematics. 13th Tutorial - Application Layer Protocols

testing and presenting Internet Health Anne-Marie Eklund Löwinder Quality & Security Manager amel@iis.se

How To Send Mail From A Macbook Access To A Pc Or Ipad With A Password Protected Address (Monroe Access) On A Pc (For Macbook) Or Ipa (For Ipa) On Pc Or Macbook (For

Migration User Guides: The Console Application Setup Guide

Computer System Management: Hosting Servers, Miscellaneous

LEAP Encryption Access Project. Αλέξανδρος Αφεντούλης

USAGE GUIDE ADAM INTERNET SPAM FILTER MANAGER

The Myth of Twelve More Bytes. Security on the Post- Scarcity Internet

DNS at NLnet Labs. Matthijs Mekking

DNS Cache Poisoning Vulnerability Explanation and Remedies Viareggio, Italy October 2008

IEncrypt a work-in-progress

Mail 8.2 for Apple OSX: Configure IMAP/POP/SMTP

Android: Configure IMAP/POP/SMTP

Computer Networks - CS132/EECS148 - Spring

SSO Eurécia. and external Applications. Purpose

ISP Systems Design. ISP Workshops. Last updated 24 April 2013

How to set up the Integrated DNS Server for Inbound Load Balancing

StarterPlus Mailbox Software Setup Guide

2008 DNS Cache Poisoning Vulnerability Cairo, Egypt November 2008

Installing and Setting up Microsoft DNS Server

Lecture 2 CS An example of a middleware service: DNS Domain Name System

Apache, SSL and Digital Signatures Using FreeBSD

CS Lecture 22 DNS Security

Transcription:

DANE Secured E-Mail Demonstration Wes Hardaker Parsons <>

Overview My Background In scope topics Securing E-Mail Requirements Implementing Each Requirement 2

My Background Part of the Network Security Research Group A small division within PARSONS Experts on and evangalists for security protocols My DNS history Multiple DNS RFCs: 4509, 6168, 7477, 7671, 7672 DNSSEC-Tools development DNS-Sentinel DNS/DNSSEC monitoring service DNS-Sentinel DNSSEC-Tools 3

What I am covering How to set up secure E-Mail with DANE What I am not covering How DNSSEC and DANE work See my slides from ICANN 53 / Buenos Aires My YouTube Tutorial on DANE and DNSSEC video: https://www.youtube.com/watch?v=bhvu19rjrpy Securing E-Mail clients to their ISP IE: We're not discussing POP, IMAP, etc. Today: server to server (ISP to ISP) 4

Server-to-Server Email Simple Mail Transport Protocol (SMTP) Mail Transfer Agent 1: Alice's Mail User Agent (MUA) sends the email to her ISP 2: Alice's ISP forwards the message to Bob's ISP We're talking about this today Mail Transfer Agent 3: Bob's MUA downloads the message via IMAP or POP Largely secured today through Manual configuration parameters 5

Requirements for Receiving Secure E-Mail 6

Receiving Secure E-Mail Be found by the distant server DNSSEC Accept an authenticated connection DANE Accept an encrypted connection DANE Your DNS zone must be DNSSEC signed Your DNS zone must include a DANE record 7

Receiving Secure Mail with Postfix (regardless of DANE usage) Create a certificate to use: openssl req new newkey rsa:2048 days 365 nodes x509 keyout server.pem out server.pem Tell postfix to use it: smtpd_tls_key_file = /etc/postfix/server.pem smtpd_tls_cert_file = /etc/postfix/server.pem smtpd_tls_security_level = may 8

DNS Records for our test zone In the DNSSEC-Tools.org zone, I created: dane.dnssec-tools.org: dane IN 60 A 192.0.2.1 dane IN 60 MX 10 dane.dnssec tools.org. _25._tcp.dane IN 60 TLSA 3 1 1 e8d145d7df0b269d19a5107e489419e0445df7d3c256e0ec24a2a23 ff25d249c And DNSSEC signed it! dane.dnssec tools.org. 60 IN RRSIG A 5 3 60 20151113185506 20151014175506 3147 dnssec tools.org. UY3+UB7GyO/eaNsf5fFTbTBx9G6R... 9

CRITICAL When you update your mail server certificate You must update your TLSA record to match! You must continue to resign your zone You should monitor your services: DNS/DNSSEC health checks DANE records match the mail server certificate Have it yell loudly when broken!! 10

Test It! https://dane.sys4.de/ A fantastic SMTP/DANE/DNSSEC testing utility Checks if: Your zone is properly signed Your zone contains TLSA records Your SMTP TLS certificate matches your DANE records For each server! 11

Requirements for Sending Secure E-Mail 12

Sending Secure E-MAIL Requirements DNS Software that verifies DNSSEC records EVERY lookup from start to finish must be verified MX records Address records DNSSEC signatures and chain records Mail server software that verifies DANE records Collects DNSSEC validated TLSA records Certificates must match these TLSA records 13

Configuring Postfix Needed deployment architecture: DNSSEC Validating Resolver Postifx 2.11 or better Running on the same host Needed configuration: smtp_tls_security_level = dane smtp_dns_support_level = dnssec 14

Demonstration Sending via an insecure mail server Sending to a DANE secured address Sending to a DANE failing address Sending to a domain with two MX records (with the first being broken) 15

Demonstration Test #1 No security turned on Plain text transfer An undetectable man-in-the-middle possible org dnssec-tools.org NS MX A dane Deliver this for me! Where should I send mail? To this guy! dnssec-tools.org DNS Server Mail Transfer Agent My Laptop Here's some mail dane.dnssec-tools.org SMTP Server 16

Demonstration Test #2 Using a validating resolver Authenticated and Encrypted E-Mail! No chance of a man-in-the-middle org dnssec-tools MX A TLSA NS dane Deliver this for me! Where should I send mail? To this guy! With this X.509 dnssec-tools.org DNS Server Mail Transfer Agent My Laptop Here's some mail dane.dnssec-tools.org SMTP Server 17

Demonstration Test #3 A bad guy Simulated by a bad record! (could be a mistake! Be careful!) org dnssec-tools MX A TLSA NS dane-bad Deliver this for me! Where should I send mail? To this guy! With this X.509 dnssec-tools.org DNS Server Mail Transfer Agent My Laptop Here's some mail dane.dnssec-tools.org SMTP Server 18

Demonstration Test #4 Two MX records The first one should fail The second should succeed org dnssec-tools NS dane-bad2 srv1 Deliver this for me! srv2 Where should I send mail? dnssec-tools.org DNS Server To this guy! With this X.509 Or this guy! With this X.509 Mail Transfer Agent My Laptop srv1.dnssec-tools.org SMTP Server srv2.dnssec-tools.org SMTP Server 19

Come On Out And Play 28,000 Domains with DANE/SMTP enabled! And the RFC has only been out for a week! 20

Questions? ICANN 53 Buenos Aires 21

Extra Slides 22

Available Software DNSSEC Compliant Name Servers Most recent releases of just about everything (no excuses here) Mail Software Postfix 2.11 or higher EXIM 4.85 or higher 23

Try looking up the data! Using a DNSSEC compliant resolver: dig dane.dnssec-tools.org MX dig dane.dnssec-tools.org A dig _25._tcp.dane.dnssec-tools.org TLSA dig +dnssec dane.dnssec-tools.org MX 24

Resources RFC6698 DANE RFC7218 DANE Acronyms RFC7672 SMTP RFC7671 DANE Guidance http://www.dnssec-tools.org/ http://postfix.org/ 25

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information