CIA Lab 5 - Mail Transfer Agents (MTA)

###### tags: `finished` :::success # CIA Lab 5 - Mail Transfer Agents (MTA) ::: ## Task 1 - Install :::info 1. Install from source code. ::: **a)** First make sure that your system does not contain a pre-installed version of the MTA of your choice, if so, remove it before you continue. As you can see in the screenshot, I already have a pre-installed version of Exim, delete it with the command: ``` sudo apt purge exim4 ``` <center> ![](https://i.imgur.com/51oI6BX.png) Picture 1 - Exim </center> **b)** Make sure the source code is retrieved from a secure location. Use the official website for the MTA of your choice - https://www.exim.org/ **c)** Check the digital PGP signature. If your MTA is signed then make sure you have downloaded the correct sources by checking the validity of the key and the signature. To do this, we need to download the Exim-Maintainers-keyring.asc file from the official website. And run the check: ``` wget https://downloads.exim.org/Exim-Maintainers-Keyring.asc gpg --show-keys Exim-Maintainers-Keyring.asc gpg --import Exim-Maintainers-Keyring.asc ``` <center> ![](https://i.imgur.com/1o4p82Q.png) Picture 2 - Public key fingerprint verification and key import </center> We take the source package and key from the server. ``` wget https://ftp.exim.org/pub/exim/exim4/exim-4.95.tar.bz2 wget https://ftp.exim.org/pub/exim/exim4/exim-4.95.tar.bz2.asc ``` <center> ![](https://i.imgur.com/mtDKspU.png) Picture 3 - Checking whether the key matches the source file </center> <center> ![](https://i.imgur.com/IlAwv5m.png) Picture 4 - Unpacking </center> **d)** There are a number of options that you will have to enter before compilation, so that the functionality can be compiled into the program. Make sure the basic install holds all the necessary functionality. Show the options you configured. ``` export ALPINEMAKE=https://git.alpinelinux.org/cgit/aports/plain/community/exim/exim.Makefile wget -O /tmp/exim-4.95/Local/Makefile $ALPINEMAKE mv exim-4.95 exim sed -i -e 's/-lnsl//g' -e 's/^HAVE_ICONV.*$//' /tmp/exim/OS/Makefile-Linux tmp/exim$ make makefile #additional: sudo apt-get install -y tdb-tools tdb-dev sudo apt-get install -y libtdb1 sudo apt install -y libmysqlclient-dev sudo apt-get install -y libspf2-2 libspf2-dev sudo apt-get install -y libdb libdb-dev opendmarc libopendmarc libopendmarc-dev libX11 libX11-dev libXt libXt-dev libXaw libXaw-dev openldap openldap-dev sudo apt-get install -y libpq-dev sudo apt-get install -y libsqlite3-dev sudo apt-get install libldap2-dev sudo apt-get install libidn11-dev make -j1 sudo make INSTALL_ARG="exim_dbmbuild exim_dumpdb exim_tidydb exim_fixdb exim_lock" install sudo adduser exim sudo make INSTALL_ARG="exim" install ``` <center> ![](https://i.imgur.com/SzO2mut.png) Picture 5 - At this step, I decided it was time to use apt get install exim4 </center> :::info 2. Most of the options for an MTA can be found in a configuration file that will be loaded when the MTA starts. It is recommended to start with an example configuration that looks a lot like what you need for now. Show how you adapt it to your needs. ::: ``` sudo dpkg-reconfigure exim4-config ``` <center> ![](https://i.imgur.com/gTu4knx.png) Picture 6 - Reconfig </center> :::info 3. Configure: a local account on your experimental machine and make sure that the MTA can deliver mail to it. Show the required configuration. ::: <center> ![](https://i.imgur.com/6m6v6lW.png) Picture 7 </center> At this point, I no longer understand what needs to be changed in the settings for the SMTP service to work. ## Task 2 - Sending mail - email validation - SPF & DKIM :::info Write a small paragraph that highlights the advantages and disadvantages of SPF and DomainKeys Identified Mail (DKIM). What would you choose at a first glance and why? ::: **SPF:** Pros: + it is useful both in spam filtering systems and to protect against fake emails, because it allows you to link an email to a specific domain and its reputation; + the presence of SPF authorization is important for confirming the sender's address and communication with the domain, which allows you to use the reputation of the domain, not the IP reputation, for the letter; + absolutely necessary in IPv6 networks and cloud services. Cons: - does not protect against sender forgery or spam directly; - emails that came from another server, for example, redirected, do not pass verification; - it works only at the domain level, and not for individual email addresses (In order for an email to pass SPF validation, you must send it only through an authorized server); - actions with emails that have not passed verification are outside the scope of this standard (such actions are determined by local policy); - does not apply to subdomains. **DKIM:** Pros: + protects the recipient of the message from emails that are sent with a substitution of the sender's address; + the letter is checked for the integrity and correctness of the sender on the recipient's side; + allows vendors to periodically replace the keys used to sign outgoing emails (but this doesn't solve much when people are constantly archiving DKIM public keys); Cons: - the DKIM signature can be cut out of the letter as if it had never been signed by DKIM (since using DKIM is optional); - provides a lifetime guarantee of the authenticity of emails (steal emails once and they will pass the authentication check even years later); - DKIM signatures are located inside your archived mailbox; [KeyForge: Non-Attributable Email from Forward-Forgeable Signatures (article, 2021)](https://eprint.iacr.org/2019/390.pdf) Well, thus, nothing absolutely reliable exists - where the technical side does not fail, the human side will fail. The use of SPF and DKIM should be joint, because there are some types of responses (delivery reports, delivery impossibility, auto-replies) that come only to the SMTP envelope address and require it to be authorized, and for this SPF is needed. And for the possibility of forwarding letters, we need DKIM, and for the policy of actions with letters that have not passed the SPF check and protection against forgery of the sender's address, we need DMARC. ## Task 6 - Transport Encryption :::info Which one is better, SSL/TLS or STARTTLS, why? ::: I think TLS is better at the moment (even considering the new MTA-STS and DANE), because this protocol is supported by all modern and secure systems that handle Internet traffic. It uses encryption methods that are newer than SSL, and in fact is its heir. If we talk about STARTTLS, then this is a command that is transmitted between the mail service and the server. When starting TLS, he informs that he wants to transfer the connection between the mail client and the server to safe mode. STARTTLS also works with SSL. Thus, TLS is the first and most minimal requirement for the protection of email clients. :::info Which one is actually in use for SMTP? ::: TLS is the most popular and is the minimum requirement for mail security. I think there are more and more STARTTLS now, because it's like an add-on to TLS, which at the same time can work with SSL, and I often see a bunch of SMTP+STARTTLS. But at the same time, there is more and more news that STARTTLS has turned into an initial MTA-STS search protection mechanism so that email operators can know when certain providers insist on secure delivery.