Jaap Wesselius – Message Security in Exchange

MESSAGE SECURITYSpeaker: Jaap Wesselius Company: Self EmployedPosition: Consultant

Who Am I?I am Jaap Wesselius – Independent Consultant in The NetherlandsI am Microsoft Most Valued ProfessionalOffice Servers and Services (previously knows as Exchange MVP)

I tweet from @jaapwessI blog at www.jaapwesselius.comEmail me jaap@wesselius.infoWhen not working I like to ride a motorcycle

WHAT’S THIS SESSION ABOUT?

It’s all about anti-spam (and thus security) How do I make sure email is legitimate? What’s my email reputation on the Internet? How do you protect against phishing? How do you protect your outbound mail? In this talk…

I will focus on on-premises Exchange solutions But also 3rd party and cloud based solutions

AGENDA

SPF / DKIM / DMARC When time permits... S/MIME TLS

SPF / DKIM / DMARC

SENDER POLICY FRAMEWORK

SPF is validation process Is the sending server allowed to send email on behalf of the

sender’s domain? Organizations register information in public DNS about sending

email servers (in SPF Records) Receiving servers checks and compares information

SPF PROCESS

Mail server receives SMTP Connection Only checks RFC5321.MailFrom (domain name) Retrieve SPF record Compare SPF record against source IP address Pass = ok Fail = stamp header, quarantine, junk mail folder or block

message

SPF PROCESS

SPF DNS ENTRIES

SPF entries start with “v=spf1” Followed by sending mail server information

ip4, ip6, A or MX And followed by qualifier

pass (+), fail (-), softfail (~), neutral (?)

SPF DNS EXAMPLES

"v=spf1 mx -all“ (allow MX server to send mail, no others) "v=spf1 ip4:192.168.0.1/24 -all“ (allow servers in this range,

no others) "v=spf1 a:exchangelabs.nl ~all“ (all A records in this domain,

but not sure about others (softfail) Syntax info on http://www.openspf.org/SPF_Record_Syntax

CHECK SPF WITH MXTOOLBOX

SPF FAILURE

DOMAINKEYS IDENTIFIED MAIL (DKIM)

DKIM is about signing and verifying of email messages DKIM consists of two operations:

Signing of a message. Can be achieved by sending host or 3rd party service or appliance

Verifying of a message. Can be achieved by receiving host or 3rd party service or appliance

DKIM OVERVIEW

User sends email to recipient Mail server signs message header with

private key Recipient server checks DNS for public

key Recipient server decrypts and validates

message Recipient server stamps message header

DKIM DETAILS

What’s in the message headerv=1; a=rsa-sha256; d=Exchangelabs.nl; s=1471253148.exchangelabs; c=simple/simple; t=1476973767; h=from:subject:to:date:message-id; bh=v+ZL4UUHbKdCnlQ8PbkBAftTIsIQ2nhPcvQuh8CzvJQ=; b=cDASVnI0Cc8S95wyqF91qp1xLzA7r4W9VQxFiVl6aWcAhDfYyJfHgqgHlQQXSU+180aylOY1NBR 4RA8gzBR3NXrbzuAf7sRauo9E4QEGqn2zWRFei+/kTAHf+z4UwrarimP04PVKfE9Xk6+Iy4xqTh+u vg+Auh6HPfLZlxS2k68=

‘s’ is the selector key which identifies DNS records=1471253148.exchangelabs

SO, WHAT’S IN THE EMAIL HEADER?

‘s’ = Selector key, points to DNS record

DKIM DETAILS

DKIM DETAILS

After verification, receiving server stamps email with Authentication-Results headerspf=pass (sender IP is 176.62.196.244) smtp.mailfrom=Exchangelabs.nl; wesselius.info; dkim=pass (signature was verified) header.d=Exchangelabs.nl;wesselius.info; dmarc=pass action=none header.from=Exchangelabs.nl;wesselius.info; dkim=pass (signature was verified) header.d=Exchangelabs.nl;

DKIM IMPLEMENTATION

Exchange does not support DKIM natively Use 3rd party appliance, software or (cloud) service On github.com/Pro/dkim-exchange you can find DKIM

signing module for Exchange On http://dkim.org/deploy/index.html you can find more

deployment partners

DKIM PUBLIC AND PRIVATE KEY

Private key is used by sender (and only this sender!) for encryption

Public key is used by receiver for decryption and verification How to get a Public and Private key?

Online, for example via dkimcore.org (good idea?) OpenSSL

DOMAIN-BASED MESSAGE AUTHENTICATION, REPORTING & CONFORMANCE (DMARC) DMARC is email validation mechanism Implemented on top of SPF and DKIM DMARC is policy based

Policy is published in DNS Policy defines what to do if SPF or DKIM check fails Quarantine, reject or none

DMARC has reporting availability

DMARC PROCESS FLOW

User sends email, mail server inserts DKIM header Recipient server checks SPF and DKIM record Recipient server retrieves DMARC policy Recipient server applies policy Recipient server sends DMARC report

DMARC DETAILS

Example DNS Record:v=DMARC1;p=none;sp=none;pct=100;rua=mailto:dmarcreports@exchangelabs.nl

P= policy, RUA = Reporting URI Optional: ADKIM = alignment mode for DKIM ASPF = alignment mode for SPF

DMARC REPORTS

Some platforms return DMARC reports to mailbox mentioned in DMARC DNS Record

DMARC Reports are XML files Need service like Dmarcian or Agari to analyze DMARC Reports Or use script: http://bit.ly/DMARCScript

DMARCIAN-EU.COM

HOW TO GET STARTED?

Start analyzing your reputation Implement DMARC, policy=none, reports to Dmarcian or own

reporting Mailbox Inventory of your email sources (can be extremely complex)

Office mail, bulk mail, website forms, invoices etc. If you have a solid view on your email, implement DKIM and SPF

3RD PARTY (CLOUD) SOLUTIONS

EOP supports SPF, DKIM and DMARC out of the box Create DNS CNAME Records Turn on DKIM signing in Exchange Admin Center Check Gareth Gudger’s blogpost: http://bit.ly/2e0XHZw Same process for other vendors like Symantec Cloud (Brightmail

SMTP gateway) Cisco IronPort has DKIM and DMARC modules

DKIM IN OFFICE 365

OTHER 3RD PARTY VENDORS

Symantec MessageLabs MimeCast ProofPoint IronPort Barracuda TrendMicro More on http://dkim.org/deploy/

SUMMARY

SPF, DKIM and DMARC are used for authentication purposes, both inbound and outbound

DKIM and DMARC are not supported by Exchange on-premises Use 3rd party solution for DKIM and DMARC Start with implementing DMARC for analyzing email reputation

Silver Sponsors

Gold Sponsors

Bronze Sponsors

S/MIME

S/MIME

S/MIME is all about client signing and encryption Secure/Multipurpose Internet Mail Extensions S/MIME is based on Digital ID (Certificate) Signing based on private key Verify based on public key Encryption based on public key Decryption basd on private key

ADD AND VERIFY S/MIME SIGNATURE

Question: What happens if server adds a disclaimer?

S/MIME SIGNATURE

ENCRYPT AN OUTBOUND MESSAGE

Need recipient’s public key for encryption purposes But how do I get this public key?

TLS

S/MIME USER EXPERIENCES

Imagine your CEO needs to do all this Or there is a legal requirement to encrypt or sign.... And users forget to to

so.... Internal messaging is not really an issue But external messaging prone to (user) error

TRANSPORT LAYER SECURITY

TLS is server to server encryption and authentication Exchange uses ‘opportunistic TLS’

Used whenever possible Exchange can use Self-Signed Certificate Only for encryption, not for authentication

TRANSPORT LAYER SECURITY

Forced TLS implemented as ‘Domain Security’ Servers authenticate and encrypt No authentication? No mailflow Need proper SSL certificates, dedicated Send Connectors and possibly

Receive Connectors Transport configuration need to be configured for both domains

TRANSPORT LAYER SECURITY

Whenever possible Exchange uses server to server encryption Encryption, no authentication For authentication use Domain Security Configured on a per-domain basis No need for user action

SUMMARY

SUMMARY

SPF, DKIM and DMARC are used for authentication purposes, both inbound and outbound

Use 3rd party solution for DKIM and DMARC Start with implementing DMARC for analyzing email reputation S/MIME is client based solution for signing and encryption Has some sharp edges that can hurt end users TLS is used for server to server encryption

Silver Sponsors

Gold Sponsors

Bronze Sponsors