DANE Secured E-Mail Demonstration Wes Hardaker Parsons - - PowerPoint PPT Presentation

dane secured e mail demonstration wes hardaker parsons
SMART_READER_LITE
LIVE PREVIEW

DANE Secured E-Mail Demonstration Wes Hardaker Parsons - - PowerPoint PPT Presentation

Jun 13, 2023 643 likes •911 views

DANE Secured E-Mail Demonstration Wes Hardaker Parsons <wes.hardaker@parsons.com> Overview My Background In scope topics Securing E-Mail Requirements Implementing Each Requirement 2 wes.hardaker@parsons.com My Background

slide-1
SLIDE 1

DANE Secured E-Mail Demonstration Wes Hardaker Parsons <wes.hardaker@parsons.com>

slide-2
SLIDE 2

2

wes.hardaker@parsons.com

Overview

  • My Background
  • In scope topics
  • Securing E-Mail Requirements
  • Implementing Each Requirement
slide-3
SLIDE 3

3

wes.hardaker@parsons.com

My Background

  • Part of the Network Security Research Group

– A small division within PARSONS – Experts on and evangalists for security protocols

  • My DNS history

– Multiple DNS RFCs:

  • 4509, 6168, 7477, 7671, 7672

– DNSSEC-Tools development – DNS-Sentinel

  • DNS/DNSSEC monitoring service

DNS-Sentinel DNSSEC-Tools

slide-4
SLIDE 4

4

wes.hardaker@parsons.com

What I am covering

  • How to set up secure E-Mail with DANE

What I am not covering

  • How DNSSEC and DANE work

– See my slides from ICANN 53 / Buenos Aires – My YouTube “Tutorial on DANE and DNSSEC” video:

  • https://www.youtube.com/watch?v=BhvU19RJrPY
  • Securing E-Mail clients to their ISP

– IE: We're not discussing POP, IMAP, etc. – Today: server to server (ISP to ISP)

slide-5
SLIDE 5

5

wes.hardaker@parsons.com

Server-to-Server Email

2: Alice's ISP forwards the message to Bob's ISP Simple Mail Transport Protocol (SMTP)

Server-to-Server Email

2: Alice's ISP forwards the message to Bob's ISP Mail Transfer Agent Simple Mail Transport Protocol (SMTP) Mail Transfer Agent We're talking about this today Largely secured today through Manual configuration parameters 1: Alice's Mail User Agent (MUA) sends the email to her ISP 3: Bob's MUA downloads the message via IMAP or POP

slide-6
SLIDE 6

6

wes.hardaker@parsons.com

Requirements for Receiving Secure E-Mail

slide-7
SLIDE 7

7

wes.hardaker@parsons.com

Receiving Secure E-Mail

  • Be found by the distant server

DNSSEC

  • Accept an authenticated connection

DANE

  • Accept an encrypted connection

DANE

  • Your DNS zone must be DNSSEC signed
  • Your DNS zone must include a DANE record
slide-8
SLIDE 8

8

wes.hardaker@parsons.com

Receiving Secure Mail with Postfix

(regardless of DANE usage)

  • Create a certificate to use:
  • penssl req -new -newkey rsa:2048 -days 365
  • nodes -x509 -keyout server.pem -out

server.pem

  • Tell postfix to use it:

smtpd_tls_key_file = /etc/postfix/server.pem smtpd_tls_cert_file = /etc/postfix/server.pem smtpd_tls_security_level = may

slide-9
SLIDE 9

9

wes.hardaker@parsons.com

DNS Records for our test zone

  • In the DNSSEC-Tools.org zone, I created:

– dane.dnssec-tools.org:

  • dane

IN 60 A 192.0.2.1

  • dane

IN 60 MX 10 dane.dnssec-tools.org.

  • _25._tcp.dane IN 60 TLSA 3 1 1

e8d145d7df0b269d19a5107e489419e0445df7d3c256e0ec24a2a23 ff25d249c

– And DNSSEC signed it!

  • dane.dnssec-tools.org. 60 IN RRSIG A

5 3 60 20151113185506 20151014175506 3147 dnssec-tools.org. UY3+UB7GyO/eaNsf5fFTbTBx9G6R......

slide-10
SLIDE 10

10

wes.hardaker@parsons.com

CRITICAL

  • When you update your mail server certificate

– You must update your TLSA record to match!

  • You must continue to resign your zone
  • You should monitor your services:

– DNS/DNSSEC health checks – DANE records match the mail server certificate – Have it yell loudly when broken!!

slide-11
SLIDE 11

11

wes.hardaker@parsons.com

Test It!

  • https://dane.sys4.de/

– A fantastic SMTP/DANE/DNSSEC testing utility – Checks if:

  • Your zone is properly signed
  • Your zone contains TLSA records
  • Your SMTP TLS certificate matches your DANE records
  • For each server!
slide-12
SLIDE 12

12

wes.hardaker@parsons.com

Requirements for Sending Secure E-Mail

slide-13
SLIDE 13

13

wes.hardaker@parsons.com

Sending Secure E-MAIL Requirements

  • DNS Software that verifies DNSSEC records

– EVERY lookup from start to finish must be verified – MX records – Address records – DNSSEC signatures and chain records

  • Mail server software that verifies DANE records

– Collects DNSSEC validated TLSA records – Certificates must match these TLSA records

slide-14
SLIDE 14

14

wes.hardaker@parsons.com

Configuring Postfix

  • Needed deployment architecture:

– DNSSEC Validating Resolver – Postifx 2.11 or better – Running on the same host

  • Needed configuration:

smtp_tls_security_level = dane smtp_dns_support_level = dnssec

slide-15
SLIDE 15

15

wes.hardaker@parsons.com

Demonstration

  • Sending via an insecure mail server
  • Sending to a DANE secured address
  • Sending to a DANE failing address
  • Sending to a domain with two MX records
  • (with the first being broken)
slide-16
SLIDE 16

16

wes.hardaker@parsons.com

Demonstration Test #1

Mail Transfer Agent My Laptop dnssec-tools.org DNS Server dane.dnssec-tools.org SMTP Server Where should I send mail? To this guy! Here's some mail Deliver this for me! dnssec-tools.org

  • rg

dane

  • No security turned on
  • Plain text transfer
  • An undetectable man-in-the-middle possible

NS MX A

slide-17
SLIDE 17

17

wes.hardaker@parsons.com

Demonstration Test #2

Mail Transfer Agent My Laptop dnssec-tools.org DNS Server dane.dnssec-tools.org SMTP Server Where should I send mail? To this guy! With this X.509 Here's some mail Deliver this for me! dnssec-tools

  • rg

dane

  • Using a validating resolver
  • Authenticated and Encrypted E-Mail!
  • No chance of a man-in-the-middle

NS MX A TLSA

slide-18
SLIDE 18

18

wes.hardaker@parsons.com

Demonstration Test #3

Mail Transfer Agent My Laptop dnssec-tools.org DNS Server dane.dnssec-tools.org SMTP Server Where should I send mail? To this guy! With this X.509 Here's some mail Deliver this for me! dnssec-tools

  • rg

dane-bad

  • A bad guy
  • Simulated by a bad record!
  • (could be a mistake! Be careful!)

NS MX A TLSA

slide-19
SLIDE 19

19

wes.hardaker@parsons.com

Demonstration Test #4

Mail Transfer Agent My Laptop dnssec-tools.org DNS Server srv1.dnssec-tools.org SMTP Server Where should I send mail? To this guy! With this X.509 Deliver this for me! dnssec-tools

  • rg

srv1

  • Two MX records
  • The first one should fail
  • The second should succeed

NS srv2 srv2.dnssec-tools.org SMTP Server dane-bad2 Or this guy! With this X.509

slide-20
SLIDE 20

20

wes.hardaker@parsons.com

Come On Out And Play

28,000 Domains with DANE/SMTP enabled! And the RFC has only been out for a week!

slide-21
SLIDE 21

21

wes.hardaker@parsons.com

Questions?

ICANN 53 Buenos Aires

slide-22
SLIDE 22

22

wes.hardaker@parsons.com

Extra Slides

slide-23
SLIDE 23

23

wes.hardaker@parsons.com

Available Software

  • DNSSEC Compliant Name Servers

– Most recent releases of just about everything – (no excuses here)

  • Mail Software

– Postfix 2.11 or higher – EXIM 4.85 or higher

slide-24
SLIDE 24

24

wes.hardaker@parsons.com

Try looking up the data!

  • Using a DNSSEC compliant resolver:

– dig dane.dnssec-tools.org MX – dig dane.dnssec-tools.org A – dig _25._tcp.dane.dnssec-tools.org TLSA – dig +dnssec dane.dnssec-tools.org MX

slide-25
SLIDE 25

25

wes.hardaker@parsons.com

Resources

  • RFC6698

DANE

  • RFC7218

DANE Acronyms

  • RFC7672

SMTP

  • RFC7671

DANE Guidance

  • http://www.dnssec-tools.org/
  • http://postfix.org/