Creating the right Certificates for STARTTLS use in SMTP

Posted on May 19, 2011 by Christophe Wolfhugel

Recently I have been playing  around with STARTTLS, SMTP & Enforcement of STARTTLS policy. This has led me to make several suggestions for evolutions on the way the sendmail open source MTA should handle this enforcement – I will address this in a future post in a few weeks.  For this article I want to address some other observations.

One of the observations I made during my work on this subject was how difficult it can be to setup an enforceable policy when controlling STARTTLS SMTP connections. One of the reasons for this is that the certificates which are being used need to be carefully designed to allow correct identification of the hostnames.

Certificates used for TLS connections adhere to the X.509 standard and they are identified by a Subject and an Issuer using a X.500 notation. For example the certificate hosted on my personal mail server has following data:

  • Issuer: C=IL, O=StartCom Ltd., OU=Secure Digital Certificate Signing, CN=StartCom Class 2 Primary Intermediate Server CA
  • Subject: description=286542-g0Fq7m73HbBwiIkc, C=GB, ST=Greater London, L=London, O=Christophe Wolfhugel, OU=StartCom Verified Certificate Member, CN=k.wolfhugel.eu/emailAddress=postmaster@wolfhugel.eu

The Issuer identifies the authority which did deliver my certificate, and in the above example I got mine from an intermediate authority run by a company called StartCom. The Subject identifies my SMTP server, and you may recognize that an Internet hostname is present in the CN field. This is the canonical hostname of my mail server.

Should my mailserver only be used and known under this single name, k.wolfhugel.eu, everything would be easy but this is not the case: my MX record as published in the DNS is relay.wolfhugel.eu. So unless my certificate also shows this name, validation and verification might be more difficult (i.e. would need manual configuration).

Fortunately the certificates are able to handle X509v3 Extensions and one of particular interest to us: the Subject Alternative Names which can be displayed for my server’s certificate as:

X509v3 Subject Alternative Name:
DNS:k.wolfhugel.eu, DNS:wolfhugel.eu, DNS:relay.wolfhugel.eu

RFC-6125 which is quite long and complex gives very detailed explanations on how this should be used, but for messaging users I would summarize this as:

  • When you create certificates being used for Email ensure that all valid names which are used (canonical hostname, names appearing in MX records, names appearing in SMTP banners or HELO/EHLO negotiation) are included as DNS values in the X509v3 Subject Alternative Names extension
  • It is still advised to have a valid and recognized value (i.e. a hostname) in the CN field of the Subject of your certificate, but RFC-6125 states that if Subject Alternative Names are present, applications should use only these names for identifying the remote party
  • It is best that the hostname indicated as the CN is also present as a DNS Subject Alternative Name

So, for example, if your domain name is domain.eu and your MX record mx.domain.eu goes to a load balancer and then two hosts called s1.domain.eu and s2.domain.eu the content of your certificates would be adequate if being:

  • for s1: CN=s1.domain.eu, Subject Alternative Names: DNS:mx.domain.eu DNS:s1.domain.eu
  • for s2: CN=s2.domain.eu, Subject Alternative Names: DNS:mx.domain.eu DNS:s2.domain.eu

This simple recommendation will make life easier for anyone who wishes to enforce TLS security during SMTP transactions.

In conclusion, don’t forget your Subject Alternative Names when creating certificates which are being used for STARTTLS SMTP traffic.

Posted in Christophe Wolfhugel, Email Security, Open source | 1 Comment

Latest Version of Sendmail Open Source MTA Available!

Posted on May 17, 2011 by Barry Shurtz

The popular sendmail open source Mail Transfer Agent (MTA) is celebrating its 30th anniversary this year and with that, we are happy to announce that the updated version 8.14.5 is now available for download.  This latest release addresses many of the requests from the large community of sendmail open source users and developers around the world.

Sendmail 8.14.5 addresses key issues related to:

  • SMTP connection caching
  • SMTP authentication
  • LDAP Routing
  • LDAP robustness
  • Signal handling
  • Adds support for Mac OS X 10.6
  • Improves FreeBSD, OpenBSD and Solaris portability

Our open source MTA is a core component of Sendmail’s Sentrion Message Processing platform and is amongst the most widely used mail servers in the world. The update is available for immediate download here and be sure to check out the official press release for even more details.

We appreciate the continued contributions from the Sendmail community to the sendmail open source project!

Posted in Barry Shurtz, Open source | Leave a comment

Sendmail IP Info App Comes to the iPhone

Posted on May 16, 2011 by Barry Shurtz

We are excited to announce the availability of the Sendmail IP Info application that you can now download for free on the iPhone App Store.  We’ve seen a lot of demand from enterprise IT users to have access to enterprise information on mobile devices and only expect that to increase with the continued growth of the mobile workforce.  Not only is it important to have access to critical information, but also enterprises today need information that can be accessed and available at any point and place.

With Sendmail IP Info, IT users and administrators are enabled with the functionality of an on-the-go tool to access the critical information they need to ensure their email infrastructure is protected, secure and performing at optimal levels.  IT is tasked to manage critical IT infrastructures, such as email, and need to be able to quickly and easily access information whether in a remote office or on the road.

Key interactive functionalities include:

  • DNSBL query: Check whether an email services is listed on any public DNS Real Time Black Hole List.
  • Sender Policy Framework (SPF) check: One of the most widely adopted Sender Authentication technologies and with the Sendmail IP Info app, system administrators can check whether the SPF records of their site are properly configured.

Keep an eye out for future releases that will have greater functionality and support for other mobile devices.

Check out the Apple App store to download it for free here and you can read the full press release for more details.

Posted in Barry Shurtz | Leave a comment

SecurityWeek: Leveraging an Email Backbone for Mailbox Migration

Posted on May 9, 2011 by Greg Olsen

My latest SecurityWeek column, “Leveraging an Email Backbone for Mailbox Migration,” focuses on the email backbone and why it’s an important architectural tool in maintaining email integrity during the email migration process.

Enterprises first need to have an understanding of the standard model for email architecture that is broken into three layers that are defined in the column and in the image below.

Once there is an understanding of the basic email architecture, enterprises can rely on a core email backbone to manage the inter-system email routing in the email backbone.

The on-going efficiencies of an email backbone include:

  • Managing complexity
  • Providing a routing infrastructure for email-enabled applications
  • Off-loading policy processing from mailbox servers

When it comes to the cloud, because most email-enabled applications are not moving to the cloud, the email backbone is the glue that keeps disparate email systems communicating. As enterprises look to migrate email to the cloud, the email backbone functions as the routing infrastructure between those mailboxes in the cloud and the users and email-enabled applications that remain on premises.

The added benefit of an email backbone is that it can become a permanent routing infrastructure between those users in the cloud and those users who remain on premises, thus helping to alleviate security or compliance concerns.

Look forward to your thoughts on this latest column and if you didn’t catch it last year, check out a related post on our blog, “Is your email backbone “spineless” that answers the question: “Do all companies have an email backbone or do they all need an email backbone and don’t always know it?”

Posted in Email Backbone, Greg Olsen, SecurityWeek | Leave a comment

Wall Street Journal asks: Is Cloud Computing Right for Your Company?

Posted on April 28, 2011 by Barry Shurtz

I came across a recent article in the Wall Street Journal by Robert Plant, (no not that Robert Plant!) an associate professor at the University of Miami, which focuses on how the cloud seems to be an attractive option for many companies, however, there are still a lot of questions that companies need to consider and address beforehand.

The article, “To Cloud, or Not to Cloud”, highlights the following important questions to ask before moving to the cloud:

  • How much do we save, if anything?
  • How complicated is your software?
  • What are the legal issues?
  • Where’s the data?
  • How accessible is it?
  • How secure is it?

Before assuming what may be best for their organization, company IT leaders need to clearly address these questions and as the article highlights the reality is that they’ll learn that moving to the cloud isn’t so clear-cut as some companies make it seem to be.

While Sendmail agrees with many of the points that Plant shares in his article, there is also a point where we disagree with. Knowing email the way we do, we feel that labeling email a “nonessential system”, and suggesting that it be the first to go to the cloud, is a misnomer and a disservice to IT admins.

IT organizations continue to realize that it is not as easy to migrate things such as email – or as advantageous – to the cloud as it may initially seem. In fact, based on our unique insights and feedback from our customers, we still believe that email is a business-critical application and the dominant messaging tool used by enterprises, and large companies can’t just easily move all email functions to the cloud. Some functions of an email infrastructure have become a commodity, such as spam and virus filtering.  This function can be moved to the cloud fairly easily.  Mailboxes can also be moved, however that is a much bigger undertaking.  As for the email backbone, which is the middleware that glues all of this together, manages on-premises email-generating applications, takes care of policy enforcement, and much more, is the most difficult to move, but certainly not impossible.  In a recent report from Gartner, “Email is a Commodity and Other Fairy Tales”, analyst, Matthew Cain, noted, “A deep understanding of the operational, architectural, policy and feature requirements of an email system will help organizations ascertain the suitability of the cloud provisioning model for email services.”

Despite our disagreement on the suggestion that email is nonessential and relatively easy to move to the cloud first, for the most part, many of the questions addressed in this Wall Street Journal article maps to what Sendmail has been sharing with its customers for quite some time.

As we predicted at the beginning of the year, we are seeing the cloud hype within the messaging infrastructure market tempered due to compliance, regulatory and security risks that companies are realizing come with the price of moving to the cloud.  For further information on evaluating a move to the cloud, you can revisit the blog post we wrote last year, “Considering a Move to the Cloud? The Benefits and Risks You Should Know”, to get a clear snapshot on what Sendmail recommends enterprises should consider before moving to the cloud. Also check out the resources on this page: enabling email for the cloud.

Posted in Barry Shurtz, Cloud, Email Backbone, Email Security | Leave a comment

SecurityWeek: Deploying DKIM for Increased Email Deliverability

Posted on April 22, 2011 by Greg Olsen

One of the key challenges for email users today is whether or not they can trust that the email they receive is not a scam (i.e. phishing). It is also important to understand what a sender should be doing to help bring trust back to email through sender authentication. My previous column in SecurityWeek highlighted best practices for implementing DomainKeys Identified Mail (DKIM) as a receiver of email. Now, in this latest SecurityWeek column, I focus on sender authentication, a set of technologies that help bring trust back to email.

Here’s a highlight of the best practices for sender of email (DKIM signers) that I focus on in this column:

  • Sign all your mail
  • Delegate keys to third-parties
  • Use the test flag when first implementing DKIM
  • Do not expect user-level signing to work

Companies that implement these best practices along with compliance with CAN-SPAM, and comply with message and connection rates, will see deliverability of their email increase.  My contributed column, “Deploying DKIM for Increased Email Deliverability”, in SecurityWeek can be viewed here.

Hope you have the time to read the article and if you have any further questions on this topic, feel free to comment below.

Posted in Greg Olsen, SecurityWeek | Leave a comment

Sendmail Sentrion App of the Month: Image Analyzer

Posted on April 12, 2011 by Barry Shurtz

Email-borne pornography and sexually harassing images bring risk of lawsuits and embarrassing publicity. Plus, they steal away the productivity of your employees—and, in some cases, something even more important, their dignity. To call attention to this challenge, and a potential solution, this month Sendmail shines its “App of the Month” spotlight on the Image Analyzer application. Image Analyzer is a mail filter application for Sentrion that provides the most powerful detection technologies available to keep porn out of your email system, and out of your employees’ work lives.

Unfortunately pornographic images are notoriously difficult to filter compared to malware signatures, unwanted file formats, or suspicious text patterns – until now. Image Analyzer offers the ability for enterprises to automate the task of effectively filtering email —keeping legitimate images in the email stream, filtering out the bad ones, and freeing up administrative time. Image Analyzer multi-threaded analysis isolates areas of the image that fall within the range of human skin tones, and then applies artificial intelligence to evaluate body size, curvature, and edge. This compositional analysis produces a much more accurate score of the probability that an image is pornographic, and keeps out of the employee’s inbox.

Click here (pdf), or visit the filtering section of the Sentrion App Store to learn more detail about Image Analyzer and how adding the application as part of your complete email filtering strategy, you keep your email system—and your corporate culture—free of corrosive content.

Posted in App of the Month, Barry Shurtz | Leave a comment

SecurityWeek: SaaS and the Email Delivery Conundrum

Posted on April 8, 2011 by Greg Olsen

For my weekly article in SecurityWeek, this time around I opted to look at email and its relationship – good and bad – with SaaS, which has become the dominant solution for new CRM deployments.

The driving force behind an enterprise opting for a SaaS deployment model is typically related to cost.  The organization gets access to a feature-rich solution at a lower cost in fixed infrastructure and on-going software maintenance.  However, SaaS as a model for CRM can have a downside when it comes to email—the potential for deliverability problems.

Email is an integral function of CRM and can be effectively used as a customer notification tool, as well as a tool for new customer acquisition because of the nature of a CRM system. But the very nature of SaaS, being multi-tenant and a shared application infrastructure, means that conflicts can occur between companies using the SaaS provider, affecting email deliverability.

In the article, I elaborate on these potential issues in order to better educate security admins about potential pitfalls and to offer solutions for these possible challenges. We dissect the challenges around spam and look at the some of the important differences between on-premises and SaaS IP reputation and the abilities of SMTP in protecting IP reputation and the integrity both types of CRM systems.

Potential solutions to challenges covered in the piece include detail around purchasing private IP space from the SaaS provider, using a third-party SaaS provider for email that integrates with the CRM provider’s system, and advice around routing email from the SaaS provider’s system through an on-premises email infrastructure.

Hopefully the insights shared in my SecurityWeek article will help avoid email deliverability problems due to shared email infrastructure when outsourcing CRM functions to a SaaS provider.

Posted in Barry Shurtz, Greg Olsen, SecurityWeek | Leave a comment

SecurityWeek: Optimizing Email Security With Directory Integration

Posted on March 24, 2011 by Greg Olsen

Technology trends such as cloud computing and virtualization initiatives are being driven by the rule in IT projects for 2011 – efficiency and optimization.  This urge to do more with less is forcing enterprises to lower costs while maintaining a secure IT infrastructure.  In my latest column in SecurityWeek, I cover how utilizing the corporate directory is one of the best ways enterprises can optimize security for the messaging infrastructure.

For example, the article addresses how businesses can make the best use of corporate directory information realizing efficiency gains and measurable improvement in the following areas:

  • Directory-driven Email Security
  • Email Acceptance at the Internet Gateway
  • Email Routing in Large Organizations
  • Compliance Policy Controls
  • Authentication and Authorization
  • Secure Deployment of Directories
  • Quantifiable ROI

Email remains one of the most prevalent means of communication within businesses and the corporate directory contains information vital to the operation of the email environment and is also a source of information that can be used for higher value security applications. When the directory infrastructure is leveraged by the email security infrastructure, quantifiable ROI is translated by reduced traffic, selective archiving and encryption of messages, and fewer mail servers deployed.

More details on this topic can be found in my latest contributed column, “Optimizing Email Security With Directory Integration”, in SecurityWeek which can be viewed here.

Hope you have the time to read the article and as always we look forward to your comments below.

Technology trends such as cloud computing and virtualization initiatives are being driven by the rule in IT projects for 2011 – efficiency and optimization. This urge to do more with less is forcing enterprises to lower costs while maintaining a secure IT infrastructure. In my latest column in SecurityWeek, I cover how utilizing the corporate directory is one of the best ways enterprises can optimize security for the messaging infrastructure.

For example, the article addresses how businesses can make the best use of corporate directory information realizing efficiency gains and measurable improvement in the following areas:

· Directory-driven Email Security

· Email Acceptance at the Internet Gateway

· Email Routing in Large Organizations

· Compliance Policy Controls

· Authentication and Authorization

· Secure Deployment of Directories

· Quantifiable ROI

Email remains one of the most prevalent means of communication within

Technology trends such as cloud computing and virtualization initiatives are being driven by the rule in IT projects for 2011 – efficiency and optimization.  This urge to do more with less is forcing enterprises to lower costs while maintaining a secure IT infrastructure.  In my latest column in SecurityWeek, I cover how utilizing the corporate directory is one of the best ways enterprises can optimize security for the messaging infrastructure.

For example, the article addresses how businesses can make the best use of corporate directory information realizing efficiency gains and measurable improvement in the following areas:

  • Directory-driven Email Security
  • Email Acceptance at the Internet Gateway
  • Email Routing in Large Organizations
  • Compliance Policy Controls
  • Authentication and Authorization
  • Secure Deployment of Directories
  • Quantifiable ROI

Email remains one of the most prevalent means of communication within businesses and the corporate directory contains information vital to the operation of the email environment and is also a source of information that can be used for higher value security applications. When the directory infrastructure is leveraged by the email security infrastructure, quantifiable ROI is translated by reduced traffic, selective archiving and encryption of messages, and fewer mail servers deployed.

More details on this topic can be found in my latest contributed column, “Optimizing Email Security With Directory Integration”, in SecurityWeek which can be viewed here.

Hope you have the time to read the article and as always we look forward to your comments below.

businesses and the corporate directory contains information vital to the operation of the email environment and is also a source of information that can be used for higher value security applications. When the directory infrastructure is leveraged by the email security infrastructure, quantifiable ROI is translated by reduced traffic, selective archiving and encryption of messages, and fewer mail servers deployed.

More details on this topic can be found in my latest contributed column, “Optimizing Email Security With Directory Integration”, in SecurityWeek which can be viewed here.

Hope you have the time to read the article and as always we look forward to your comments below.

Posted in Barry Shurtz, Greg Olsen | Tagged | Leave a comment

Sendmail Sentrion App of the Month: Federal Government Policies

Posted on March 14, 2011 by Barry Shurtz

As we continue our “App of the Month” program, which highlights a resourceful new application from our Sentrion App Store, we’ve selected an application that plays a crucial role in national security and are highlighting the Federal Government Policies application.

Due to the challenges around the ascent of global computing and communications technologies that have virtually eliminated international borders, information is more likely to fall into the wrong hands, thus leading to vital national security information at the risk of being inadvertently leaked by sending messages to the wrong person. And, in recent years, the U.S. Government has stepped up International Traffic in Arms Regulations (ITAR) audit and enforcement, levying severe financial penalties against enterprises in several high-profile cases.

The Federal Government Policies App works directly within the mail stream, allowing you to rely on proactive policy enforcement without the need to adapt an add-on DLP solution. When a violation is detected in the email body or any attachment, the application takes action based on custom policies. For example, an organization can dictate the following actions based on pre-set policies:

  • Block the message and notify the sender of the violation
  • Quarantine the message and create an entry in the Incident Remediation and Reporting Application for further review
  • Encrypt and send the message using the Voltage or S/MIME Encryption

Check out more details about the app here to learn more about how government agencies such as the Department of Energy (DOE) and National Aeronautics and Space Administration (NASA), and more, benefit from the Sentrion Federal Government Policies.

Posted in App of the Month, Barry Shurtz | Leave a comment