Skip to main content

Posted in Security.

Implementing MTA-STS for Mail authentication

TLS uses certificates for encryption, but they aren’t used for verifying the identity of the destination server. This exposes SMTP connections to DNS tampering that can redirect connections to an attacker’s server. Senders have no way to confirm that destination server is the intended email server. The SMTP MTA Strict Transport Security (MTA-STS) standard was developed to ensure that TLS is always used, and to provide a way to for sending servers to refuse to deliver messages to servers that don’t support TLS and have a trusted certificate.

I set this up for a domain that used Exchange Online for the mail.  To tell other MTA-STS mail servers to use this for our domain, I needed to create a file hosted at mta-sts.(domain), .well-known/mta-sts.txt, at mta-sts.(domain).

I created the subdomain https site, with only the .well-known/mta-sts.txt, running only on port 443 to protect this from tampering through other sites on the server.

After DNS for the subdomain (mta-sts.(domain) ) was set up (the A records) then I used Let's Encrypt to create the certificates.  And here's where I found that we really did need port 80 servers too, for the Let's Encrypt process.  I decided to leave these port 80 virtual hosts up as it doesn't really affect anything, and Let's Encrypt needs it every 90 days.

I set up the web servers with /.well-known/mta-sts.txt files, with this:

version: STSv1
mode: testing
mx: *.mail.protection.outlook.com
max_age: 604800

The version should increment with each change.  Because we use EXO, we use the *.mail.protection.outlook.com.

You should start with mode: testing, so you get the reports but nothing is blocked until you are confident that it is functioning correctly.

I created log files for the subdomain, just to keep a better eye on what is happening.  I added a favicon.ico file in the directory, just because it was being asked for by the web requests.

 

There was concern about server reboots, and what would happen when the mta-sts.txt file wasn't available.  Turns out the RFC accounts for this, if the DNS calls for MTA-STS but the mta-sts.txt file is not available (the policy can't be fetched) when trying to send a message, the sender should continue as though the domain has NOT implemented MTA-STS.

There is also a reporting feature, that tells senders using MTA-STS to send a daily report for their interactions with our server.  This is done through DNS.

TXT Record example:

         _smtp._tls.example.com. 3600 IN TXT v=TLSRPTv1;rua=mailto:This email address is being protected from spambots. You need JavaScript enabled to view it.

 Since we use EXO, they send our mail, and will send out the daily reports to the receiving domains.

More info will be added here as we move through the implementation. Right now it is just in testing.

Microsoft's document for this can be found here.

Posted in Security.

Resources for researching IP Addresses, and other things

In my job, we have lots of organizations that abuse the free services we provide.  I try to identify them and ask them politely to stop, before just blocking them.  In doing this, I've found several free resources that have been helpful in identifying network owners and contacts.

UIC - time, MAC, IP, speed test, whois, your info, character code tables/conversion, encode/decode, color codes.  Thanks to my friend Darren for letting me know about this one!

Internet Storm Center - They provide reports on IP addresses, including Country Code, ASN, AS Name, Whois info and abuse PoC.  With DShield, you can see reports on if the IP has been reported, how frequently, first report, last report, etc.  I start here.

BPGView - I found this useful for find a PoC for a network that ISC didn't have.

IPduh - very basic interface, but quite a bit of information and possible actions.

UPDATE:
I'm going to add the MAC Address research items here, not enough ATM to have a separate page.

Wireshark OUI Lookup Tool - The Wireshark OUI lookup tool provides an easy way to look up OUIs and other MAC address prefixes.

Didn't list your favorite?  Email me at This email address is being protected from spambots. You need JavaScript enabled to view it. and let me know yours!

network

Posted in Security.

Vendor Patch Days

As I perform the work necessary to maintain "The Radar Page" (view it here), I have found it handy to know what vendors publish bulletins on a schedule, and what that schedule is.

  • Monthly, first Monday
    • Qualcomm
    • MediaTek
  • Monthly, first Tuesday
    • Google publishes Android patches
    • Google publishes Pixel patches
    • Samsung
    • Fortinet
  • Monthly, second Tuesday
    • Microsoft
    • Adobe
    • SAP
    • Siemens
    • Schneider Electric
    • Intel
    • Lenovo
  • Monthly, second Wednesday
    • Palo Alto Networks
  • Quarterly, first Tuesday
    • Splunk
  • Quarterly, second Wednesday
    • Juniper
  • Quarterly, the Tuesday closest to the 17th
    • Oracle
  • Quarterly, no fixed schedule
    • F5
  • Semiannually, the fourth Wednesday of March and September
    • Cisco, bundles of Cisco IOS and IOS XE Software Security Advisories