Email Security
Email Security
- Every email is sent over the internet using SMTP across various
MTAs and MSAs and MDAs.
- Boundary MTA uses MX records in DNS for the recipient's
domain.
- IMAP and POP are protocols used to retrieve mail from the
MDAs.
- Email is hella insecure.
- Email can be end to end secure using S/MIME and PGP
schemes.
- There are other schemes that secure intermediate steps.
X.509 Certificates
- Essentially, they're just public keys of the users encrypted
with the private key of the certificate issuing authority.
S/MIME
- Parties need to know each others' RSA public keys.
- These are obtained from the respective X.509 Certificates from
CA.
PGP
- Doesn't depend on CA because public keys are posted on
TLS-protected websites.
- Works on pretty much the same principles.
STARTTLS
- This is done at the MTA level.
- Send mail over SMTP (negotiate SMTP between servers first).
- MITM is possible.
DANE
- Domain owner creates and publishes a TLSA RR that identifies the
certificate and its public key.
- This makes an authoritative binding between the domain name and
the cert.
SPF
- Sender framework protocol is used to identify all the IPs that
are allowed to use their names to send emails.
- They are published as DNS-SPF records.
Email Security
Email Security
- Every email is sent over the internet using SMTP across various MTAs
and MSAs and MDAs.
- Boundary MTA uses MX records in DNS for the recipient's domain.
- IMAP and POP are protocols used to retrieve mail from the MDAs.
- Email is hella insecure.
- Email can be end to end secure using S/MIME and PGP schemes.
- There are other schemes that secure intermediate steps.
X.509 Certificates
- Essentially, they're just public keys of the users encrypted with
the private key of the certificate issuing authority.
S/MIME
- Parties need to know each others' RSA public keys.
- These are obtained from the respective X.509 Certificates from
CA.
PGP
- Doesn't depend on CA because public keys are posted on TLS-protected
websites.
- Works on pretty much the same principles.
STARTTLS
- This is done at the MTA level.
- Send mail over SMTP (negotiate SMTP between servers first).
- MITM is possible.
DANE
- Domain owner creates and publishes a TLSA RR that identifies the
certificate and its public key.
- This makes an authoritative binding between the domain name and the
cert.
SPF
- Sender framework protocol is used to identify all the IPs that are
allowed to use their names to send emails.
- They are published as DNS-SPF records.