dane secured e mail demonstration wes hardaker parsons
play

DANE Secured E-Mail Demonstration Wes Hardaker Parsons - PowerPoint PPT Presentation

Jun 13, 2023 •643 likes •910 views

DANE Secured E-Mail Demonstration Wes Hardaker Parsons <wes.hardaker@parsons.com> Overview My Background In scope topics Securing E-Mail Requirements Implementing Each Requirement 2 wes.hardaker@parsons.com My Background

  1. DANE Secured E-Mail Demonstration Wes Hardaker Parsons <wes.hardaker@parsons.com>

  2. Overview ● My Background ● In scope topics ● Securing E-Mail Requirements ● Implementing Each Requirement 2 wes.hardaker@parsons.com

  3. My Background ● Part of the Network Security Research Group – A small division within PARSONS – Experts on and evangalists for security protocols ● My DNS history – Multiple DNS RFCs: ● 4509, 6168, 7477, 7671, 7672 – DNSSEC-Tools development DNS-Sentinel – DNS-Sentinel ● DNS/DNSSEC monitoring service DNSSEC-Tools 3 wes.hardaker@parsons.com

  4. What I am covering ● How to set up secure E-Mail with DANE What I am not covering ● How DNSSEC and DANE work – See my slides from ICANN 53 / Buenos Aires – My YouTube “Tutorial on DANE and DNSSEC” video: ● https://www.youtube.com/watch?v=BhvU19RJrPY ● Securing E-Mail clients to their ISP – IE: We're not discussing POP, IMAP, etc. – Today: server to server (ISP to ISP) 4 wes.hardaker@parsons.com

  5. Server-to-Server Email Server-to-Server Email Simple Mail Simple Mail Transport Protocol Transport Protocol (SMTP) (SMTP) 2: Alice's ISP 2: Alice's ISP forwards the forwards the Mail Transfer message to message to Mail Transfer Agent Bob's ISP Bob's ISP Agent 1: Alice's 3: Bob's MUA Mail User Agent (MUA) downloads sends the email the message via to her ISP We're talking about IMAP or POP this today Largely secured today through Manual configuration parameters 5 wes.hardaker@parsons.com

  6. Requirements for Receiving Secure E-Mail 6 wes.hardaker@parsons.com

  7. Receiving Secure E-Mail ● Be found by the distant server DNSSEC ● Accept an authenticated connection DANE ● Accept an encrypted connection DANE ● Your DNS zone must be DNSSEC signed ● Your DNS zone must include a DANE record 7 wes.hardaker@parsons.com

  8. Receiving Secure Mail with Postfix (regardless of DANE usage) ● Create a certificate to use: openssl req -new -newkey rsa:2048 -days 365 -nodes -x509 -keyout server.pem -out server.pem ● Tell postfix to use it: smtpd_tls_key_file = /etc/postfix/server.pem smtpd_tls_cert_file = /etc/postfix/server.pem smtpd_tls_security_level = may 8 wes.hardaker@parsons.com

  9. DNS Records for our test zone ● In the DNSSEC-Tools.org zone, I created: – dane.dnssec-tools.org: dane IN 60 A 192.0.2.1 ● dane IN 60 MX 10 dane.dnssec-tools.org. ● _25._tcp.dane IN 60 TLSA 3 1 1 ● e8d145d7df0b269d19a5107e489419e0445df7d3c256e0ec24a2a23 ff25d249c – And DNSSEC signed it! dane.dnssec-tools.org. 60 IN RRSIG A ● 5 3 60 20151113185506 20151014175506 3147 dnssec-tools.org. UY3+UB7GyO/eaNsf5fFTbTBx9G6R...... 9 wes.hardaker@parsons.com

  10. CRITICAL ● When you update your mail server certificate – You must update your TLSA record to match! ● You must continue to resign your zone ● You should monitor your services: – DNS/DNSSEC health checks – DANE records match the mail server certificate – Have it yell loudly when broken!! 10 wes.hardaker@parsons.com

  11. Test It! ● https://dane.sys4.de/ – A fantastic SMTP/DANE/DNSSEC testing utility – Checks if: ● Your zone is properly signed ● Your zone contains TLSA records ● Your SMTP TLS certificate matches your DANE records ● For each server! 11 wes.hardaker@parsons.com

  12. Requirements for Sending Secure E-Mail 12 wes.hardaker@parsons.com

  13. Sending Secure E-MAIL Requirements ● DNS Software that verifies DNSSEC records – EVERY lookup from start to finish must be verified – MX records – Address records – DNSSEC signatures and chain records ● Mail server software that verifies DANE records – Collects DNSSEC validated TLSA records – Certificates must match these TLSA records 13 wes.hardaker@parsons.com

  14. Configuring Postfix ● Needed deployment architecture: – DNSSEC Validating Resolver – Postifx 2.11 or better – Running on the same host ● Needed configuration: smtp_tls_security_level = dane smtp_dns_support_level = dnssec 14 wes.hardaker@parsons.com

  15. Demonstration ● Sending via an insecure mail server ● Sending to a DANE secured address ● Sending to a DANE failing address ● Sending to a domain with two MX records ● (with the first being broken) 15 wes.hardaker@parsons.com

  16. Demonstration Test #1 org ● No security turned on dnssec-tools.org ● Plain text transfer ● An undetectable man-in-the-middle possible MX NS A dane Deliver Where should I send mail? this for me! To this guy! dnssec-tools.org DNS Server Mail Transfer Agent Here's some mail My Laptop dane.dnssec-tools.org SMTP Server 16 wes.hardaker@parsons.com

  17. Demonstration Test #2 org ● Using a validating resolver dnssec-tools ● Authenticated and Encrypted E-Mail! ● No chance of a man-in-the-middle MX NS A TLSA dane Deliver Where should I send mail? this for me! To this guy! With this X.509 dnssec-tools.org DNS Server Mail Transfer Agent Here's some mail My Laptop dane.dnssec-tools.org SMTP Server 17 wes.hardaker@parsons.com

  18. Demonstration Test #3 org ● A bad guy dnssec-tools ● Simulated by a bad record! ● (could be a mistake! Be careful!) MX NS A TLSA dane-bad Deliver Where should I send mail? this for me! To this guy! With this X.509 dnssec-tools.org DNS Server Mail Transfer Agent Here's some mail My Laptop dane.dnssec-tools.org SMTP Server 18 wes.hardaker@parsons.com

  19. Demonstration Test #4 org ● Two MX records dnssec-tools ● The first one should fail ● The second should succeed NS dane-bad2 srv1 srv2 Deliver Where should I send mail? this for me! dnssec-tools.org To this guy! DNS Server With this X.509 Or this guy! Mail Transfer With this X.509 Agent My Laptop srv2.dnssec-tools.org srv1.dnssec-tools.org SMTP Server SMTP Server 19 wes.hardaker@parsons.com

  20. Come On Out And Play 28,000 Domains with DANE/SMTP enabled! And the RFC has only been out for a week! 20 wes.hardaker@parsons.com

  21. Questions? ICANN 53 Buenos Aires 21 wes.hardaker@parsons.com

  22. Extra Slides 22 wes.hardaker@parsons.com

  23. Available Software ● DNSSEC Compliant Name Servers – Most recent releases of just about everything – (no excuses here) ● Mail Software – Postfix 2.11 or higher – EXIM 4.85 or higher 23 wes.hardaker@parsons.com

  24. Try looking up the data! ● Using a DNSSEC compliant resolver: – dig dane.dnssec-tools.org MX – dig dane.dnssec-tools.org A – dig _25._tcp.dane.dnssec-tools.org TLSA – dig +dnssec dane.dnssec-tools.org MX 24 wes.hardaker@parsons.com

  25. Resources ● RFC6698 DANE ● RFC7218 DANE Acronyms ● RFC7672 SMTP ● RFC7671 DANE Guidance ● http://www.dnssec-tools.org/ ● http://postfix.org/ 25 wes.hardaker@parsons.com

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Opportunistic SMTP Security Wes Hardaker Parsons &lt;wes.hardaker@parsons.com&gt; Overview

Opportunistic SMTP Security Wes Hardaker Parsons &lt;wes.hardaker@parsons.com&gt; Overview

Opportunistic SMTP Security Wes Hardaker Parsons &lt;wes.hardaker@parsons.com&gt; Overview E-Mail Overview Where E-Mail Can Go Wrong Securing E-Mail Requires DNSSEC Securing SMTP Using DNSSEC and DANE 2 wes.hardaker@parsons.com

678 views • 31 slides
DNSSEC, DANE and SMTP Security A Mid-level Overview Wes Hardaker Parsons Downgrade Resistant,

DNSSEC, DANE and SMTP Security A Mid-level Overview Wes Hardaker Parsons Downgrade Resistant,

DNSSEC, DANE and SMTP Security A Mid-level Overview Wes Hardaker Parsons Downgrade Resistant, Opportunistic Security for Server To Server E-Mail Delivery Overview Server-to-Server E-Mail background SMTP Vulnerabilities DANE/SMTP to

360 views • 16 slides
Sending E-Mail Today MX Priority #1 SMTP Exchange

Sending E-Mail Today MX Priority #1 SMTP Exchange

DANE and SMTP: TLS Protec4on for SMTP Using DANE and DNSSEC Russ Mundy &amp; Wes Hardaker Parsons &lt;Russ.Mundy@parsons.com&gt; &lt;mundy@4slabs.com&gt; 7/17/13

481 views • 9 slides
EOS WG proposal Wes Hardaker &lt;hardaker@tislabs.com&gt; draft-hardaker-eos-oops-00.txt

EOS WG proposal Wes Hardaker &lt;hardaker@tislabs.com&gt; draft-hardaker-eos-oops-00.txt

EOS WG proposal Wes Hardaker &lt;hardaker@tislabs.com&gt; draft-hardaker-eos-oops-00.txt 2002.Jul.18 Agenda Overview: motivations and PDU definitions Examples Benifits Known Issues and Questions Motivations Solve the problems recently

438 views • 21 slides
Have a Strategy in Place For Unexpected DNSSEC Events Wes Hardaker

Have a Strategy in Place For Unexpected DNSSEC Events Wes Hardaker

Have a Strategy in Place For Unexpected DNSSEC Events Wes Hardaker &lt;wes.hardaker@parsons.com&gt; Overview Your Operational Panic Binder DNS Failure Strategies DNSSEC Failure Strategies Documenting Lessons Learned Your

356 views • 18 slides
EOS OOPS SMIng Issues Wes Hardaker &lt;hardaker@tislabs.com&gt;

EOS OOPS SMIng Issues Wes Hardaker &lt;hardaker@tislabs.com&gt;

EOS OOPS SMIng Issues Wes Hardaker &lt;hardaker@tislabs.com&gt; draft-hardaker-eos-oops-02pre.txt 2002.Nov.20 Overview Indexing issues External augmentations to structures/data How is data expected to be accessed? Search examples Upfront

397 views • 8 slides
DNS and DNSSEC Management and Monitoring Changes Required During A Transition To DNSSEC Wes

DNS and DNSSEC Management and Monitoring Changes Required During A Transition To DNSSEC Wes

DNS and DNSSEC Management and Monitoring Changes Required During A Transition To DNSSEC Wes Hardaker &lt;wes.hardaker@parsons.com&gt; Overview Business Model Changes Relationship Requirements Relationship with your DNS parent

407 views • 25 slides
Is DANE the Future of Secure Mail? Evaluation of DNS-based Authentication of Named Entities in

Is DANE the Future of Secure Mail? Evaluation of DNS-based Authentication of Named Entities in

Chair for Network Architectures and Services Technische Universit at M unchen Is DANE the Future of Secure Mail? Evaluation of DNS-based Authentication of Named Entities in the Context of Electronic Mail Security Stefan Fochler April 7,

987 views • 57 slides
Netconf Protocol: Security Considerations Wes Hardaker &lt;hardaker@tislabs.com&gt; 2004.Aug.05

Netconf Protocol: Security Considerations Wes Hardaker &lt;hardaker@tislabs.com&gt; 2004.Aug.05

Netconf Protocol: Security Considerations Wes Hardaker &lt;hardaker@tislabs.com&gt; 2004.Aug.05 Netconf Authentication and Access Control There is inherent access control now: The authentication process should result in an entity whose

373 views • 12 slides
DANE COUNTY JAIL UPDATE STUDY GOING FROM THIS: TO THIS: Presentation to The Dane County Public

DANE COUNTY JAIL UPDATE STUDY GOING FROM THIS: TO THIS: Presentation to The Dane County Public

DANE COUNTY JAIL UPDATE STUDY GOING FROM THIS: TO THIS: Presentation to The Dane County Public Protection &amp; Judiciary Committee INTRODUCTIONS David Way Curtiss Pulitzer Patrick Jablonski Eric Lawson Jan Horsfall OVERVIEW OF THE REPORT

583 views • 57 slides
Dane Bank Consultation 8 th November 2018 The Aim of the Meeting To find out more about Dane

Dane Bank Consultation 8 th November 2018 The Aim of the Meeting To find out more about Dane

Dane Bank Consultation 8 th November 2018 The Aim of the Meeting To find out more about Dane Bank s reasons for considering conversion to Academy Status Opportunity for governors to find out more about how parents and carers feel

562 views • 35 slides
Secured Mortgage Income Fund Are your investments secured and predictable? Fund Mandate u To

Secured Mortgage Income Fund Are your investments secured and predictable? Fund Mandate u To

Secured Mortgage Income Fund Are your investments secured and predictable? Fund Mandate u To provide investors with consistent monthly income secured by real property mortgages that are prudently written to safeguard capital. u Statesman Capital

572 views • 20 slides
DANE COUNTY JAIL UPDATE STUDY Presentation to the Dane County Board June 15, 2017 INTROD

DANE COUNTY JAIL UPDATE STUDY Presentation to the Dane County Board June 15, 2017 INTROD

DANE COUNTY JAIL UPDATE STUDY Presentation to the Dane County Board June 15, 2017 INTROD ODUCTION ONS Curtiss Pulitzer Patrick David Way Jan Horsfall Project Justice Jablonski, PhD Architect Manager Specialist Statistician

856 views • 57 slides
DANE COUNTY JAIL UPDATE STUDY- OPTION 3 Presen entation t n to Dane e Coun unty P Publ blic

DANE COUNTY JAIL UPDATE STUDY- OPTION 3 Presen entation t n to Dane e Coun unty P Publ blic

DANE COUNTY JAIL UPDATE STUDY- OPTION 3 Presen entation t n to Dane e Coun unty P Publ blic c Protect ection &amp; Judici ciary Committee ee June 13, 2017 INTROD ODUCTION ONS Curtiss Pulitzer Cheryl Gallant David Way Jan Horsfall

440 views • 41 slides
Lessons for Secured Creditors Guidance for Secured Creditors on Lien Ride-Throughs After In re N.

Lessons for Secured Creditors Guidance for Secured Creditors on Lien Ride-Throughs After In re N.

Presenting a live 90-minute webinar with interactive Q&amp;A Lien Stripping in Chapter 11 Bankruptcy Cases: Lessons for Secured Creditors Guidance for Secured Creditors on Lien Ride-Throughs After In re N. New Eng. Tel. Operations WEDNESDAY,

510 views • 47 slides
UNDERSTANDING UNITED STATES IMMIGRATION LAWS Paul Parsons Paul Parsons, PC 704 Rio Grande

UNDERSTANDING UNITED STATES IMMIGRATION LAWS Paul Parsons Paul Parsons, PC 704 Rio Grande

2017 UT System Legal Conference UNDERSTANDING UNITED STATES IMMIGRATION LAWS Paul Parsons Paul Parsons, PC 704 Rio Grande Austin, TX 78701 Telephone: (512) 477-7887 www.immigrate-usa.com parsons@immigrate-usa.com UNDERSTANDING UNITED

623 views • 25 slides

Challenges faced accessing supply chain Gatekeeping system: RFQ and RFP process presents challenges in business development process and

311 views • 3 slides
PROBABILISTIC SIGNAL PROCESSING ON GRAPHS Francesco A. N. Palmieri Dipartimento di Ingegneria

PROBABILISTIC SIGNAL PROCESSING ON GRAPHS Francesco A. N. Palmieri Dipartimento di Ingegneria

PROBABILISTIC SIGNAL PROCESSING ON GRAPHS Francesco A. N. Palmieri Dipartimento di Ingegneria Industriale e dell'Informazione Seconda Universit di Napoli (SUN) - Italy Graduate Students: Amedeo Buonanno Francesco Castaldo UConn - Feb 21,

550 views • 33 slides
LAND VALUES &amp; EXPANSION OPPORTUNITIES Will Gurry Associate Director, CBRE Agribusiness

LAND VALUES &amp; EXPANSION OPPORTUNITIES Will Gurry Associate Director, CBRE Agribusiness

20/04/2016 Proadvice Autumn Update 20 &amp; 21 April 2016 LAND VALUES &amp; EXPANSION OPPORTUNITIES Will Gurry Associate Director, CBRE Agribusiness Valuations and Advisory Services CBRE AGRIBUSINESS The CBRE Team 40 Staff, Valuers,

428 views • 13 slides
Day 6: 7 November 2011 Presenter: Ms. Valentina Stoevska, Presenter: Ms Valentina

Day 6: 7 November 2011 Presenter: Ms. Valentina Stoevska, Presenter: Ms Valentina

Day 6: 7 November 2011 Presenter: Ms. Valentina Stoevska, Presenter: Ms Valentina Stoevska Statistician ILO 1 An indicator which measures average changes over An indicator which measures average changes over time in prices of

558 views • 53 slides
EasyCommerce 1.1 Reliable stock management system &amp; Easy-to-use eCommerce fulfillment

EasyCommerce 1.1 Reliable stock management system &amp; Easy-to-use eCommerce fulfillment

Powered by SMS EasyCommerce 1.1 Reliable stock management system &amp; Easy-to-use eCommerce fulfillment solution EasyCommerce by swiss mail solutions Simplify your fulfillment operations As a growing eCommerce company, you want to focus on

210 views • 17 slides
Day Two: October 4, 2018 1 1 Lets Unblock the Chain of Data Making B2B Payments More

Day Two: October 4, 2018 1 1 Lets Unblock the Chain of Data Making B2B Payments More

Day Two: October 4, 2018 1 1 Lets Unblock the Chain of Data Making B2B Payments More Efficient 2 Speaker Bios Title | Company Magnus Carlsson David Jackson Guy Berg Federal Reserve Association of Marketcy Bank of Financial

317 views • 9 slides
Supply Chain Risk Management Howard Gugel, Senior Director of Standards and Education Member

Supply Chain Risk Management Howard Gugel, Senior Director of Standards and Education Member

Supply Chain Risk Management Howard Gugel, Senior Director of Standards and Education Member Representatives Committee Meeting August 9, 2017 Cyber Security Supply Chain Standard Background FERC issued Order No. 829 on July 21, 2016

875 views • 52 slides
THIRD-PARTY RISK MANAGEMENT For your website Protect your most valuable asset - your web

THIRD-PARTY RISK MANAGEMENT For your website Protect your most valuable asset - your web

1 THIRD-PARTY RISK MANAGEMENT For your website Protect your most valuable asset - your web presence Idan Cohen, Q3 2019 The untold supply-chain challenge: THIRD-PARTIES ON WEBSITES 3 Let s understand What is a web third-party

338 views • 15 slides

More recommend