24 Oct 2025
NetSec
Email Security
- Every email is sent over the internet using SMTP across various MTAs and MSAs and MDAs.
- Boundary MTA uses MX records in DNS for the recipient's domain.
- IMAP and POP are protocols used to retrieve mail from the MDAs.
- Email is hella insecure.
- Email can be end to end secure using S/MIME and PGP schemes.
- There are other schemes that secure intermediate steps.
X.509 Certificates
- Essentially, they're just public keys of the users encrypted with the private key of the certificate issuing authority.
S/MIME
- Parties need to know each others' RSA public keys.
- These are obtained from the respective X.509 Certificates from CA.
- Confidentiality: ERSA[PUR, KS] || EAES[KS, M]
- Auth: M || ERSA[PRS, SHA256(M)]
- Both: ERSA[PUR, KS] || EAES[KS, M || ERSA[PRS, SHA256(M)]]
PGP
- Doesn't depend on CA because public keys are posted on TLS-protected websites.
- Works on pretty much the same principles.
STARTTLS
- This is done at the MTA level.
- Send mail over SMTP (negotiate SMTP between servers first).
- MITM is possible.
DANE
- Domain owner creates and publishes a TLSA RR that identifies the certificate and its public key.
- This makes an authoritative binding between the domain name and the cert.
SPF
- Sender framework protocol is used to identify all the IPs that are allowed to use their names to send emails.
- They are published as DNS-SPF records.
