ProHoster > Блог > Gudanarwa > Mail.ru mail ya fara amfani da manufofin MTA-STS a yanayin gwaji

Mail.ru mail ya fara amfani da manufofin MTA-STS a yanayin gwaji

Mail.ru mail ya fara amfani da manufofin MTA-STS a yanayin gwaji

A takaice dai, MTA-STS wata hanya ce ta kara kare imel daga shiga tsakani (watau harin mutum-in-da-tsakiyar wato MitM) lokacin da ake yadawa tsakanin sabar saƙon. Wani bangare yana warware matsalolin gine-gine na gado na ka'idojin imel kuma an kwatanta shi a cikin ƙa'idar RFC 8461 kwanan nan. Mail.ru shine babban sabis na saƙo na farko akan RuNet don aiwatar da wannan ƙa'idar. Kuma an kwatanta shi dalla-dalla a ƙarƙashin yanke.

Wace matsala MTA-STS ke magance?

A tarihi, ka'idojin imel (SMTP, POP3, IMAP) suna watsa bayanai a cikin bayyanannen rubutu, wanda ya ba da damar kutse shi, misali, lokacin shiga tashar sadarwa.

Menene tsarin isar da wasiƙa daga mai amfani zuwa wani ya yi kama da:

Mail.ru mail ya fara amfani da manufofin MTA-STS a yanayin gwaji

A tarihi, harin MitM yana yiwuwa a duk wuraren da wasiku ke yawo.

RFC 8314 yana buƙatar amfani da TLS tsakanin aikace-aikacen mai amfani da wasiƙa (MUA) da sabar saƙon. Idan uwar garken ku da aikace-aikacen wasikun da kuke amfani da su sun dace da RFC 8314, to kun (mafi yawa) kawar da yuwuwar harin Man-in-the-Middle tsakanin mai amfani da sabar saƙon.

Biyan ayyukan da aka yarda gabaɗaya (daidaita ta RFC 8314) yana kawar da harin kusa da mai amfani:

Mail.ru mail ya fara amfani da manufofin MTA-STS a yanayin gwaji

Sabar saƙon Mail.ru sun bi RFC 8314 tun ma kafin a ɗauki ma'auni; a zahiri, kawai yana ɗaukar ayyukan da aka riga aka karɓa, kuma ba lallai ne mu saita wani ƙarin ba. Amma, idan uwar garken wasikunku har yanzu yana ba masu amfani damar yin amfani da ƙa'idodi marasa tsaro, tabbatar da aiwatar da shawarwarin wannan ƙa'idar, saboda Mafi mahimmanci, aƙalla wasu masu amfani da ku suna aiki da wasiku ba tare da ɓoyewa ba, ko da kuna tallafawa.

Abokin wasiku koyaushe yana aiki tare da sabar saƙo iri ɗaya na ƙungiya ɗaya. Kuma zaku iya tilasta duk masu amfani don haɗawa cikin amintacciyar hanya, sannan ku sanya shi yiwuwa a fasahance ga masu amfani da ba amintacce su haɗa (wannan shine ainihin abin da RFC 8314 ke buƙata). Wannan wani lokacin yana da wahala, amma ana iya yiwuwa. Har yanzu zirga-zirga tsakanin sabar saƙon ta fi rikitarwa. Sabar suna cikin kungiyoyi daban-daban kuma galibi ana amfani da su a cikin yanayin “saitin da manta”, wanda ke sa ba zai yiwu a canza zuwa amintacciyar yarjejeniya ba lokaci guda ba tare da karya haɗin kai ba. SMTP ya dade yana ba da tsawo na STARTTLS, wanda ke ba da damar sabar da ke goyan bayan ɓoyewa don canzawa zuwa TLS. Amma mai kai hari wanda ke da ikon rinjayar zirga-zirga zai iya "yanke" bayanai game da goyan bayan wannan umarni kuma ya tilasta sabobin don sadarwa ta amfani da ka'idar rubutu a sarari (abin da ake kira harin ragewa). Saboda wannan dalili, STARTTLS yawanci ba ya bincika ingancin takardar shaidar (takardar da ba a amince da ita ba za ta iya kare kai daga hare-haren wuce gona da iri, kuma wannan bai fi aika saƙon rubutu ba). Don haka, STARTTLS yana karewa ne kawai daga sauraron saurara.

MTA-STS wani bangare yana kawar da matsalar satar haruffa tsakanin sabar saƙo, lokacin da maharin yana da ikon yin tasiri sosai akan zirga-zirga. Idan yankin mai karɓa ya buga manufar MTA-STS kuma uwar garken mai aikawa yana goyan bayan MTA-STS, zai aika imel ɗin ta hanyar haɗin TLS kawai, zuwa ga sabar da manufar ta ayyana, kuma tare da tabbatar da takardar shaidar uwar garken.

Me yasa wani bangare? MTA-STS yana aiki ne kawai idan bangarorin biyu sun kula don aiwatar da wannan ma'auni, kuma MTA-STS ba ta karewa daga yanayin da maharin zai iya samun ingantacciyar takardar shedar yanki daga ɗaya daga cikin CAs na jama'a.

Yadda MTA-STS ke aiki

Mai karɓa

  1. Yana saita goyan bayan STARTTLS tare da ingantaccen takaddun shaida akan sabar wasiku. 
  2. Yana buga manufofin MTA-STS ta HTTPS; ana amfani da yanki na musamman na mta-sts da kuma sanannen hanya ta musamman don bugawa, misali. https://mta-sts.mail.ru/.well-known/mta-sts.txt. Manufar ta ƙunshi jerin sabar saƙo (mx) waɗanda ke da haƙƙin karɓar wasiku na wannan yanki.
  3. Yana buga rikodin _mta-sts na musamman na TXT a cikin DNS tare da sigar manufofin. Lokacin da manufofin suka canza, dole ne a sabunta wannan shigarwar (wannan yana nuna alamar mai aikawa don sake tambayar manufar). Misali, _mta-sts.mail.ru. TXT "v=STSv1; id=20200303T120000;"

Mai aikawa

Mai aikawa yana buƙatar rikodin _mta-sts DNS, kuma idan yana samuwa, yana yin buƙatun manufofin ta hanyar HTTPS (duba takaddun shaida). Ana adana manufofin da aka haifar (idan maharin ya toshe hanyar shiga ta ko kuma ya lalata rikodin DNS).

Lokacin aika saƙo, ana duba cewa:

  • uwar garken da aka isar da wasiku yana cikin manufofin;
  • uwar garken yana karɓar wasiku ta amfani da TLS (STARTTLS) kuma yana da ingantaccen takaddun shaida.

Amfanin MTA-STS

MTA-STS yana amfani da fasahar da aka riga aka aiwatar a yawancin ƙungiyoyi (SMTP+STARTTLS, HTTPS, DNS). Don aiwatarwa a gefen mai karɓa, ba a buƙatar tallafin software na musamman don ma'auni.

Lalacewar MTA-STS

Wajibi ne a saka idanu da ingancin sabar gidan yanar gizo da sabar sabar wasiku, wasikun sunaye, da sabuntawa akan lokaci. Matsaloli tare da takardar shaidar za su haifar da rashin iya isar da wasiku.

A gefen mai aikawa, ana buƙatar MTA tare da goyan bayan manufofin MTA-STS; a halin yanzu, MTA-STS ba a tallafawa daga cikin akwatin a cikin MTA.

MTA-STS yana amfani da jerin amintattun tushen CAs.

MTA-STS baya karewa daga harin da maharin ke amfani da ingantacciyar takardar shaida. A mafi yawan lokuta, MitM kusa da uwar garken yana nuna ikon bayar da takaddun shaida. Ana iya gano irin wannan harin ta amfani da Takaddun shaida. Sabili da haka, a gaba ɗaya, MTA-STS yana ragewa, amma ba ya kawar da gaba daya, yiwuwar shiga tsakani.

Maki biyu na ƙarshe sun sa MTA-STS ba ta da tsaro fiye da ma'aunin DANE na SMTP (RFC 7672), amma ya fi dogaro da fasaha, watau. don MTA-STS akwai ƙananan yuwuwar cewa ba za a isar da wasiƙar ba saboda matsalolin fasaha da aka haifar ta hanyar aiwatar da ma'auni.

Matsayin gasa - DANE

DANE yana amfani da DNSSEC don buga bayanan takaddun shaida kuma baya buƙatar dogara ga hukumomin takardar shaidar waje, wanda ya fi tsaro. Amma yin amfani da DNSSEC muhimmanci mafi sau da yawa take kaiwa zuwa fasaha gazawar, dangane da statistics a kan shekaru da yawa na amfani (ko da yake akwai kullum a tabbatacce Trend a cikin AMINCI na DNSSEC da fasaha goyon bayan). Don aiwatar da DANE a cikin SMTP a gefen mai karɓa, kasancewar DNSSEC don yankin DNS ya zama dole, kuma daidaitaccen goyon baya ga NSEC / NSEC3 yana da mahimmanci ga DANE, wanda akwai matsalolin tsarin a cikin DNSSEC.

Idan ba a daidaita DNSSEC daidai ba, zai iya haifar da gazawar isar da saƙo idan ɓangaren aikawa yana goyan bayan DANE, koda kuwa ɓangaren karɓa bai san komai game da shi ba. Sabili da haka, duk da cewa DANE babban ma'auni ne kuma mafi aminci kuma an riga an tallafa shi a wasu software na uwar garke a gefen mai aikawa, a gaskiya ma shigar da shi ya kasance maras muhimmanci, yawancin kungiyoyi ba su shirye su aiwatar da shi ba saboda buƙatar aiwatar da DNSSEC. wannan ya rage jinkirin aiwatar da DANE duk waɗannan shekarun da ma'auni ya kasance.

DANE da MTA-STS ba sa rikici da juna kuma ana iya amfani dasu tare.

Menene goyon bayan MTA-STS a cikin Mail.ru Mail?

Mail.ru ya kasance yana buga manufar MTA-STS don duk manyan yankuna na ɗan lokaci kaɗan. A halin yanzu muna aiwatar da ɓangaren abokin ciniki na daidaitattun. A lokacin rubutawa, ana amfani da manufofi a cikin yanayin da ba tare da toshewa ba (idan an katange bayarwa ta hanyar manufa, za a ba da wasiƙar ta hanyar uwar garken "sabar" ba tare da amfani da manufofi ba), sannan za a tilasta yanayin toshewa don ƙaramin sashi. na zirga-zirgar SMTP mai fita, sannu a hankali don 100% na zirga-zirgar zai kasance ana tallafawa aiwatar da manufofin.

Wanene kuma ke goyan bayan ma'auni?

Ya zuwa yanzu, manufofin MTA-STS suna buga kusan 0.05% na yankuna masu aiki, amma, duk da haka, sun riga sun kare babban adadin zirga-zirgar imel, saboda Ma'aunin yana da goyan bayan manyan ƴan wasa - Google, Comcast da wani ɓangaren Verizon (AOL, Yahoo). Yawancin sauran sabis na gidan waya sun sanar da cewa za a aiwatar da tallafi ga daidaitattun a nan gaba.

Ta yaya hakan zai shafe ni?

Ba sai dai idan yankinku ya buga manufar MTA-STS. Idan kun buga manufofin, imel ɗin masu amfani da sabar saƙon ku za su fi samun kariya daga kutsawa.

Ta yaya zan aiwatar da MTA-STS?

Tallafin MTA-STS a gefen mai karɓa

Ya isa a buga manufofin ta hanyar HTTPS da rikodin a cikin DNS, saita takaddun shaida mai aiki daga ɗayan amintattun CAs (Bari mu ɓoye shi yana yiwuwa) don STARTTLS a cikin MTA ( ana tallafawa STARTTLS a cikin duk MTA na zamani), babu tallafi na musamman daga Ana buƙatar MTA.

Mataki zuwa mataki, yana kama da haka:

  1. Sanya STARTTLS a cikin MTA da kuke amfani da shi (postfix, exim, sendmail, Microsoft Exchange, da sauransu).
  2. Tabbatar cewa kana amfani da ingantacciyar takardar shaida (wanda amintaccen CA ya bayar, ba ta ƙare ba, batun takardar shaidar ya yi daidai da rikodin MX wanda ke isar da wasiku don yankinku).
  3. Sanya rikodin TLS-RPT ta inda za a isar da rahotannin aikace-aikacen manufofin (ta ayyukan da ke goyan bayan aika rahotannin TLS). Misalin shigarwa (don yankin example.com): 
    smtp._tls.example.com. 300 IN TXT «v=TLSRPTv1;rua=mailto:[email protected]»

    Wannan shigarwar tana umurtar masu aikawa da wasiku don aika rahotannin ƙididdiga akan amfanin TLS a cikin SMTP zuwa [email protected].

    Kula da rahotanni na kwanaki da yawa don tabbatar da cewa babu kurakurai.

  4. Buga manufofin MTA-STS akan HTTPS. Ana buga manufar azaman fayil ɗin rubutu tare da masu ƙare layin CRLF ta wuri. 
    https://mta-sts.example.com/.well-known/mta-sts.txt

    Manufar misali:

    version: STSv1
mode: enforce
mx: mxs.mail.ru
mx: emx.mail.ru
mx: mx2.corp.mail.ru
max_age: 86400

    Filin sigar ya ƙunshi sigar manufofin (a halin yanzu STSv1), Yanayin yana saita yanayin aikace-aikacen manufofin, gwaji - yanayin gwaji (ba a aiwatar da manufar), tilasta - yanayin "yaƙin". Da farko buga manufofin tare da yanayin: gwaji, idan babu matsaloli tare da manufofin a cikin yanayin gwaji, bayan ɗan lokaci zaku iya canzawa zuwa yanayin: tilastawa.

    A cikin mx, an ƙayyade jerin duk sabar saƙon wasiku waɗanda za su iya karɓar wasiku don yankinku (kowace sabar dole ta kasance tana da takaddun shaida wanda ya dace da sunan da aka ƙayyade a mx). Max_age yana ƙayyade lokacin caching na manufofin (da zarar manufofin da aka tuna za a yi amfani da su ko da maharin ya toshe isar da shi ko ya lalata bayanan DNS yayin lokacin caching, zaku iya siginar buƙatar sake buƙatar manufofin ta hanyar canza mta-sts DNS rikodin).

  5. Buga rikodin TXT a cikin DNS:  
    _mta-sts.example.com. TXT “v=STS1; id=someid;”

    Ana iya amfani da mai gano sabani (misali, tambarin lokaci) a cikin filin id; lokacin da manufar ta canza, ya kamata ta canza, wannan yana bawa masu aikawa damar fahimtar cewa suna buƙatar sake neman tsarin da aka adana (idan mai ganowa ya bambanta da cache daya).

MTA-STS goyon bayan a gefen mai aikawa

Ya zuwa yanzu yana da muni tare da ita, saboda ... sabo misali.

A matsayin bayanan baya game da "TLS na wajibi"

Kwanan nan, masu gudanarwa suna mai da hankali ga tsaron imel (kuma wannan abu ne mai kyau). Misali, DMRC wajibi ne ga duk hukumomin gwamnati a Amurka kuma ana ƙara buƙata a ɓangaren kuɗi, tare da shigar da ma'auni ya kai kashi 90% a wuraren da aka tsara. Yanzu wasu masu mulki suna buƙatar aiwatar da "TLS na wajibi" tare da yanki ɗaya, amma tsarin tabbatar da "TLS na wajibi" ba a bayyana shi ba kuma a aikace ana aiwatar da wannan saitin ta hanyar da ba ta da kariya daga hare-haren da aka riga aka yi. An bayar da shi ta hanyoyin kamar DANE ko MTA-STS.

Idan mai sarrafawa yana buƙatar aiwatar da "TLS na wajibi" tare da yankuna daban-daban, muna ba da shawarar yin la'akari da MTA-STS ko ɓangaren analog ɗinsa a matsayin tsarin da ya fi dacewa, yana kawar da buƙatar yin saitunan tsaro ga kowane yanki daban. Idan kuna da matsalolin aiwatar da ɓangaren abokin ciniki na MTA-STS (har sai yarjejeniya ta sami tallafi mai yawa, wataƙila za su iya), muna iya ba da shawarar wannan hanyar:

  1. Buga tsarin MTA-STS da / ko bayanan DANE (DANE yana da ma'ana kawai idan an riga an kunna DNSSEC don yankin ku, da MTA-STS a kowane hali), wannan zai kare zirga-zirgar ababen hawa a cikin hanyar ku kuma ya kawar da buƙatar tambayar wasu sabis na imel. don saita TLS na wajibi don yankinku idan sabis ɗin wasiku ya riga ya goyan bayan MTA-STS da/ko DANE.
  2. Don manyan ayyukan imel, aiwatar da "analogue" na MTA-STS ta hanyar saitunan sufuri daban-daban don kowane yanki, wanda zai gyara MX da aka yi amfani da shi don aikawa da wasiku kuma zai buƙaci tabbatar da takaddun shaida na TLS don shi. Idan yankunan sun riga sun buga manufar MTA-STS, ana iya yin hakan ba tare da jin zafi ba. Da kanta, ba da damar TLS na tilas don yanki ba tare da gyara relay ba da kuma tabbatar da takardar shedar ba ta da tasiri daga mahangar tsaro kuma baya ƙara komai a cikin hanyoyin STARTTLS da ke akwai.

source: www.habr.com

Add a comment