Electronic mail - email

For many years I used Symantec Messaging Gateway (formerly Brightmail), unfortunately there was a problem that SMG stopped filtering Czech Spam (for example for a period of 3 months). Even a long solution with Symantec support did not lead to a better result. So I tested a competing spam filtering solution that Gartner ranks among the Leaders, Cisco Email Security (formerly Ironport). The result is very good. The article includes a brief description of setup and operation.

Using Cisco Email Security (formerly Ironport) to filter spam. The article describes some of the activities and settings from normal operational management, i.e. what we do on an ongoing basis after the initial implementation. Primarily, it's about how to identify blocked messages and setting exceptions so that some messages are delivered even if they are identified as Spam.

The Simple Mail Transfer Protocol (SMTP) protocol transfers mail messages in plain text by default. If an attacker intercepts the communication, he can easily read the content of the messages and view the attachments. The solution is to use client-side email encryption (end-to-end encryption using S/MIME, PGP, etc.), but then you need to address the management and transmission of encryption keys/certificates. The other option is to encrypt SMTP communication in transit (this does not protect the messages on the server, however) and we will describe that here. We will look at the setup on Cisco Email Security (ESA) and Exchange Server 2016.

In the next article, we will look at methods for verifying the origin of mail messages (SPF, DKIM). To do this, it is important to understand how the SMTP protocol sends mail messages. In particular, how sender addresses are stored and how easy it is to spoof them. SMTP transactions, when SMTP commands are used, are referred to as SMTP Envelope. The actual email consists of the main parts, which are the header and the body of the message.

Methods for verifying the origin of mail messages are checked by the mail servers involved in sending (and possibly modifying) the email. The goal is to verify that the message was sent by an authorized sender (server). The sender's domain is checked, not the email address directly. One of the most widely used techniques is SPF (Sender Policy Framework). Its use is very simple. It verifies that the mail message came from an IP address that is listed in DNS as an allowed sender for that domain.

Email Authentication methods check the mail servers involved in sending (and possibly modifying) an email. The goal is to verify that the message was sent by an authorized sender (server). The sender's domain is checked, not the email address directly. After SPF, the second widespread technique is DKIM. This involves signing messages with the private key for the domain. The public key for authentication is published in DNS. The signature is inserted as a header entry, so it does not affect normal traffic.

Email Authentication methods check the mail servers involved in sending (and possibly modifying) an email. The goal is to verify that the message was sent by an authorized sender (server). The sender's domain is checked, not the email address directly. SPF and DKIM perform domain-level authentication. DMARC adds behavioral policies for messages that fail the check and the ability to send feedback to the domain owner. It also compares the sender domain in the header.

When sending messages using SMTP between mail servers, TLS encryption is already heavily used. By default, mail servers do not check the validity of the certificate used. The indication that they support encryption is sent in clear text in the protocol. DNS-based Authentication of Named Entities can be used for security. We publish a special TLSA record in DNS that says that a particular service supports encryption and what certificate it uses.