A System for Secure Email Relaying

1
A System for Secure Email Relaying

• Masters Project
• By Kelvin Edwards
• Advisor Dr. Wahab

2
A System for Secure Email Relaying

• Email Relaying
• Possible Solutions
• Chosen Solution
• Certificate configuration
• Email configuration
• Web server configuration
• Putting it all together
• Demonstration

3
Email Relaying

• What is email relaying?
• Sending email from one domain to another via a
  third
• Spammers do this all the time!
• Why is it useful?
• Stable email configuration for users
• Email settings identical for home institution and
  away
• No need to determine visiting labs smtp server

4
Email Relaying
Smtp server
Jefferson Lab External
IMap server
Jefferson Lab -- Internal
Off-Site Location
DMZ
5
Possible Solutions

• SSL-enabled email
• Pros
• Minimal changes to the client application
• Cons
• Must set up email server for encrypted
  connections
• Exposes usernames/passwords to the outside email
  server.

6
Possible Solutions

• SSH tunnels
• Pros
• Once setup, its transparent to the user
• Cons
• Difficult to setup
• Must maintain ssh connection at all times (or
  reestablish before sending email)

7
Possible Solutions

• Webmail
• Pros
• Its just a web page, minimal setup required
• Works anywhere, from anyplace
• Cons
• Doesnt handle attachments well
• No junk mail (or other) filters

8
My Solution

• Certificates
• Pros
• Transparent to the user once it is set up
• Can also be used to encrypt or sign the message
• Cons
• Difficult to setup for the user
• However, with a little setup by the site, you can
  make this easier for the user

9
Certificate Configuration

• Root Certificate Authority (CA)
• Signs all other certificates
• Server Certificate
• Signed by root CA
• Client Certificates
• Signed by root CA
• Loaded into email client

10
Certificate Configuration

• OpenSSL x.509 certificates
• Good for one year (could be longer)
• Default DN items
• Country US
• State Virginia
• Organization Jefferson Lab
• Location Newport News
• 1024 bit key

11
Web Server Configuration

• Local server certificate signed by root CA
• User authentication
• Htpasswd or NIS
• Document tree

12
Email Server Configuration

• Sendmail
• Version 8.12.11
• Compiled with TLS support
• Runs on Port 8025

13
Email Server Configuration

• Sendmail TLS (SSL)
• Uses openSSL 0.9.7 libraries
• /sednmail/devtools/Site/site.config.m4
• /sendmail/cf/cf/sendmail.mc
• Server certificate
• /etc/mail/certs
• Signed by root CA

14
Email Server Configuration

• /etc/mail/access and access.db
• Allows relay for known client certificates

localhost.localdomain RELAY localhost
RELAY 127.0.0.1 RELAY jlab.org
RELAY TLS_CLT
VERIFY CERTISSUER/CNKelvin20Edwards/STVirginia
/CUS/ emailAddresskelvin_at_jlab.org/OJefferson2
0Lab/ OUComputer20Center SUBJECT CERTSUBJECT
/CNGraham20Heyes/STVirginia/CUS/ emailAddres
sheyes_at_jlab.org/OJefferson20Lab/ OUComputer2
0Center RELAY CERTSUBJECT/CNKelvin20Edward
s/STVirginia/CUS/ emailAddresskelvin_at_jlab.org/
OJefferson20Lab/ OUCC RELAY
15
Email Server Configuration

• /etc/mail/access and access.db
• Update script
• Runs as root
• Makemap hash access.db lt access
• Currently set to run each minute

16
Email Server Configuration (cont)

• Certificate Revocation Lists
• In general, a difficult problem
• Remove entry in access (do a makemap)
• Remove certificate from certificate list
• Located in /var/www/CA/index.txt

17
Putting it all together

• http//rh-install.jlab.org
• Load root CA into browser
• Displays form for generating a certificate
  request
• Redirects to https connection
• User authenticates to web server

18
Putting it all together (cont)

• Generate certificate request
• Genreq.pl
• Requires
• Full name
• Email address
• Department
• Private key password

19
Putting it all together (cont)

• treatReq.pl
• Validates user responses
• Actually generates the CR
• Signs the CR using root CA
• Generates a PKCS 12 certificate from the signed
  certificate
• Displays web page with load instructions

20
Web Page

• Different for Mozilla and Internet Explorer
• Internet Explorer
• Loads certificate by clicking on link
• Mozilla
• Save certificate to disk
• Load certificate through Mozillas Security
  Manager
• Need to remember private key password

21
Demonstration

• http//rh-install.jlab.org

22

• Questions?

23
Details

• Ssl configuration stored in /var/www/CA
• Keeps the users private key password as an
  environment variable during creation
• The CAs password is stored in /var/www/CA and is
  read-only by http-user. This value is used to
  sign certificates.
• The certificates are generated and stored in
  /tmp/session-id, where session-id is based on
  the client systemmon/day/yr/hr/min/sec
• session-id is deleted once certificate generated
  as PKCS 12

24
Details

• /etc/mail/access has a list of each clients CERT
  Subject, which includes the DN, etc.
• Certificate presented MUST be signed by the root
  CA or it is rejected.
• User MUST load the root CA into the browser prior
  to generating the certificate
• PROBLEM Some sites are not allowing connections
  to port 25 from random systems on-site. This
  will invalidate this method and most other
  methods (tunnels will still work)

25
Details