Pulogalamu ya ProHoster > Blog > Ulamuliro > Imelo ya Mail.ru imayamba kugwiritsa ntchito mfundo za MTA-STS poyesa mayeso

Imelo ya Mail.ru imayamba kugwiritsa ntchito mfundo za MTA-STS poyesa mayeso

Imelo ya Mail.ru imayamba kugwiritsa ntchito mfundo za MTA-STS poyesa mayeso

Mwachidule, MTA-STS ndi njira yopititsira patsogolo maimelo kuti asatengeke (ie, man-in-the-middle attack aka MitM) akatumizidwa pakati pa ma seva a makalata. Imathetsa pang'ono zovuta zamapangidwe a ma protocol a imelo ndipo ikufotokozedwa mu RFC 8461 yaposachedwa kwambiri. Mail.ru ndi ntchito yoyamba yamakalata pa RuNet kukhazikitsa mulingo uwu. Ndipo zikufotokozedwa mwatsatanetsatane pansi pa odulidwa.

Kodi MTA-STS imathetsa vuto lanji?

M'mbuyomu, ma protocol a imelo (SMTP, POP3, IMAP) amatumiza zidziwitso m'mawu omveka bwino, zomwe zidapangitsa kuti zitheke, mwachitsanzo, mukalowa njira yolumikizirana.

Kodi njira yoperekera kalata kuchokera kwa munthu wina kupita kwa wina imawoneka bwanji:

Imelo ya Mail.ru imayamba kugwiritsa ntchito mfundo za MTA-STS poyesa mayeso

M'mbuyomu, kuwukira kwa MitM kunali kotheka m'malo onse omwe makalata amazungulira.

RFC 8314 imafuna kugwiritsa ntchito TLS pakati pa mail user application (MUA) ndi seva yamakalata. Ngati seva yanu ndi mapulogalamu amakalata omwe mumagwiritsa ntchito akugwirizana ndi RFC 8314, ndiye kuti (makamaka) mwachotsa kuthekera kwa kuukira kwa Man-in-the-Middle pakati pa wogwiritsa ntchito ndi ma seva a makalata.

Kutsatira machitidwe omwe amavomerezedwa (wokhazikika ndi RFC 8314) amachotsa kuukira pafupi ndi wogwiritsa ntchito:

Imelo ya Mail.ru imayamba kugwiritsa ntchito mfundo za MTA-STS poyesa mayeso

Ma seva amakalata a Mail.ru amatsatira RFC 8314 ngakhale muyeso usanatsatidwe; M'malo mwake, imangotenga machitidwe omwe avomerezedwa kale, ndipo sitinayenera kukonza china chilichonse. Koma, ngati seva yanu yamakalata imalolabe ogwiritsa ntchito kugwiritsa ntchito ma protocol osatetezeka, onetsetsani kuti mukutsatira zomwe mwalembazo, chifukwa. Mwinamwake, ena mwa ogwiritsa ntchito anu amagwira ntchito ndi makalata popanda kubisa, ngakhale mukuthandizira.

Wotumiza makalata nthawi zonse amagwira ntchito ndi seva yamakalata yomweyo ya bungwe lomwelo. Ndipo mutha kukakamiza ogwiritsa ntchito onse kuti alumikizane motetezeka, ndikupangitsa kuti zikhale zosatheka kuti ogwiritsa ntchito omwe alibe chitetezo alumikizane (izi ndizomwe RFC 8314 imafuna). Izi nthawi zina zimakhala zovuta, koma zingatheke. Magalimoto pakati pa maseva a makalata akadali ovuta kwambiri. Ma seva ali m'mabungwe osiyanasiyana ndipo nthawi zambiri amagwiritsidwa ntchito mu "set and forget" mode, zomwe zimapangitsa kuti zikhale zosatheka kusinthira ku protocol yotetezeka mwakamodzi popanda kuswa kulumikizana. SMTP yapereka kwanthawi yayitali kukulitsa kwa STARTTLS, komwe kumalola ma seva omwe amathandizira kubisa kuti asinthe kupita ku TLS. Koma wowukira yemwe ali ndi mphamvu zosokoneza magalimoto amatha "kudula" zambiri zokhudzana ndi chithandizo cha lamuloli ndikukakamiza ma seva kuti alankhule pogwiritsa ntchito ndondomeko yomveka bwino (yotchedwa downgrade attack). Pazifukwa zomwezo, STARTTLS nthawi zambiri sayang'ana ngati satifiketiyo ndi yolondola (satifiketi yosadalirika imatha kuteteza motsutsana ndi ziwopsezo zongochitika zokha, ndipo izi sizoyipa kuposa kutumiza uthenga womveka bwino). Chifukwa chake, STARTTLS imateteza kumangomvera chabe.

MTA-STS imathetsa pang'onopang'ono vuto la kulowetsa makalata pakati pa ma seva a makalata, pamene wowukirayo amatha kusokoneza magalimoto. Ngati domeni ya wolandirayo isindikiza mfundo za MTA-STS ndipo seva ya wotumizayo imathandizira MTA-STS, imangotumiza imelo pa intaneti ya TLS, kumaseva ofotokozedwa ndi mfundozo, komanso potsimikizira satifiketi ya seva.

Chifukwa chiyani pang'ono? MTA-STS imagwira ntchito pokhapokha ngati onse awiri asamala kutsatira muyezowu, ndipo MTA-STS siyimateteza ku zochitika zomwe wowukirayo atha kupeza satifiketi yovomerezeka kuchokera ku imodzi mwa ma CA a anthu onse.

Momwe MTA-STS imagwirira ntchito

Wowalandira

  1. Imakonza chithandizo cha STARTTLS chokhala ndi satifiketi yovomerezeka pa seva yamakalata. 
  2. Imasindikiza mfundo za MTA-STS kudzera pa HTTPS; dera lapadera la mta-sts ndi njira yodziwika bwino imagwiritsidwa ntchito pofalitsa, mwachitsanzo. https://mta-sts.mail.ru/.well-known/mta-sts.txt. Ndondomekoyi ili ndi mndandanda wa maseva a makalata (mx) omwe ali ndi ufulu wolandira makalata a domeniyi.
  3. Imasindikiza mbiri yapadera ya TXT _mta-sts mu DNS ndi mtundu wa mfundo. Ndondomeko ikasintha, cholemberachi chiyenera kusinthidwa (izi zikuwonetsa wotumizayo kuti afunsenso ndondomekoyi). Mwachitsanzo, _mta-sts.mail.ru. TXT "v=STSv1; id=20200303T120000;"

Wotumiza

Wotumiza amapempha _mta-sts DNS rekodi, ndipo ngati ilipo, amapempha ndondomeko kudzera pa HTTPS (kuyang'ana chiphaso). Zotsatira zake zimasungidwa (ngati wowukira atsekereza kuyipeza kapena kuwononga mbiri ya DNS).

Potumiza makalata, amatsimikiziridwa kuti:

  • seva kumene makalata amatumizidwa ali mu ndondomeko;
  • seva imavomereza makalata pogwiritsa ntchito TLS (STARTTLS) ndipo ili ndi satifiketi yovomerezeka.

Ubwino wa MTA-STS

MTA-STS imagwiritsa ntchito matekinoloje omwe akhazikitsidwa kale m'mabungwe ambiri (SMTP+STARTTLS, HTTPS, DNS). Kuti mugwiritse ntchito mbali ya wolandira, palibe chithandizo chapadera cha mapulogalamu omwe amafunikira.

Kuipa kwa MTA-STS

Ndikofunikira kuyang'anira kutsimikizika kwa satifiketi ya seva yapaintaneti ndi makalata, kulemberana kwa mayina, ndi kukonzanso munthawi yake. Mavuto ndi satifiketi apangitsa kuti maimelo asatumizidwe.

Kumbali yotumiza, MTA yothandizidwa ndi mfundo za MTA-STS ndiyofunika; pakadali pano, MTA-STS siyikuthandizidwa kunja kwa bokosi la MTA.

MTA-STS imagwiritsa ntchito mndandanda wa ma CA odalirika.

MTA-STS siyimateteza ku zigawenga zomwe wachiwembu amagwiritsa ntchito satifiketi yovomerezeka. Nthawi zambiri, MitM pafupi ndi seva imatanthawuza kuthekera kopereka satifiketi. Kuukira kotereku kumatha kudziwika pogwiritsa ntchito Certificate Transparency. Chifukwa chake, nthawi zambiri, MTA-STS imachepetsa, koma sikuthetsa, kuthekera kwa kutsekeka kwa magalimoto.

Mfundo ziwiri zomaliza zimapangitsa kuti MTA-STS ikhale yotetezeka kwambiri kuposa muyezo wa DANE wopikisana wa SMTP (RFC 7672), koma wodalirika mwaukadaulo, mwachitsanzo. kwa MTA-STS pali mwayi wochepa kuti kalatayo sidzaperekedwa chifukwa cha zovuta zamakono zomwe zimachitika chifukwa cha kukhazikitsidwa kwa muyezo.

Kupikisana muyezo - DANE

DANE imagwiritsa ntchito DNSSEC kufalitsa zambiri za satifiketi ndipo sizifuna kudalira maulamuliro a satifiketi akunja, omwe ndi otetezeka kwambiri. Koma kugwiritsa ntchito DNSSEC nthawi zambiri kumabweretsa kulephera kwaukadaulo, kutengera ziwerengero zazaka zingapo zogwiritsidwa ntchito (ngakhale nthawi zambiri pamakhala chizolowezi chodalirika cha DNSSEC ndi chithandizo chake). Kuti mugwiritse ntchito DANE mu SMTP kumbali yolandira, kukhalapo kwa DNSSEC kwa zone ya DNS ndikofunikira, ndipo kuthandizira koyenera kwa NSEC/NSEC3 ndikofunikira kwa DANE, komwe kumakhala zovuta zadongosolo mu DNSSEC.

Ngati DNSSEC sinakonzedwe bwino, ikhoza kubweretsa kulephera kutumiza makalata ngati mbali yotumiza imathandizira DANE, ngakhale mbali yolandirayo sadziwa chilichonse. Choncho, ngakhale kuti DANE ndi yakale komanso yotetezeka kwambiri ndipo imathandizidwa kale mu mapulogalamu ena a seva kumbali yotumiza, kwenikweni kulowa kwake kumakhalabe kopanda phindu, mabungwe ambiri sali okonzeka kuigwiritsa ntchito chifukwa chofuna kukhazikitsa DNSSEC, izi zachepetsa kwambiri kukhazikitsidwa kwa DANE zaka zonse zomwe mulingowo wakhalapo.

DANE ndi MTA-STS sizitsutsana ndipo zitha kugwiritsidwa ntchito limodzi.

Ndi chithandizo chanji cha MTA-STS mu Mail.ru Mail?

Mail.ru yakhala ikufalitsa mfundo za MTA-STS pamadomeni onse akulu kwakanthawi. Pakali pano tikugwiritsa ntchito gawo la kasitomala la muyezo. Panthawi yolemba, ndondomeko zimagwiritsidwa ntchito mopanda kutsekereza (ngati kutumiza kwatsekedwa ndi ndondomeko, kalatayo idzaperekedwa kudzera pa seva ya "spare" popanda kugwiritsa ntchito ndondomeko), ndiyeno njira yotsekera idzakakamizika kwa gawo laling'ono. za magalimoto otuluka a SMTP, pang'onopang'ono kwa 100% ya magalimoto adzakhala Kukhazikika kwa mfundo kumathandizidwa.

Ndani winanso amachirikiza muyezo?

Pakalipano, ndondomeko za MTA-STS zimafalitsa pafupifupi 0.05% ya madera omwe akugwira ntchito, koma, komabe, amateteza kale kuchuluka kwa makalata, chifukwa Muyezowu umathandizidwa ndi osewera akulu - Google, Comcast ndi ena Verizon (AOL, Yahoo). Ntchito zina zambiri zamapositi zalengeza kuti kuthandizira muyezowu kukhazikitsidwa posachedwa.

Kodi zimenezi zidzandikhudza bwanji?

Osati pokhapokha domeni yanu itasindikiza mfundo za MTA-STS. Ngati musindikiza ndondomekoyi, maimelo a ogwiritsa ntchito a seva yanu yamakalata adzatetezedwa bwino kuti asasokonezedwe.

Kodi ndimagwiritsa ntchito bwanji MTA-STS?

Thandizo la MTA-STS kumbali yolandira

Ndikokwanira kufalitsa ndondomekoyi kudzera pa HTTPS ndi zolemba mu DNS, sungani chiphaso chovomerezeka kuchokera ku CA imodzi yodalirika (Tiyeni tibiseni n'zotheka) kwa STARTTLS mu MTA (STARTTLS imathandizidwa mu MTAs zonse zamakono), palibe chithandizo chapadera kuchokera ku MTA ndiyofunika.

Pang'onopang'ono, zikuwoneka motere:

  1. Konzani STARTTLS mu MTA yomwe mukugwiritsa ntchito (postfix, exim, sendmail, Microsoft Exchange, etc.).
  2. Onetsetsani kuti mukugwiritsa ntchito satifiketi yovomerezeka (yomwe idaperekedwa ndi CA yodalirika, yosatha, mutu wa satifiketiyo umagwirizana ndi mbiri ya MX yomwe imapereka makalata kudera lanu).
  3. Konzani mbiri ya TLS-RPT yomwe malipoti ofunsira adzaperekedwa (ndi ntchito zomwe zimathandizira kutumiza malipoti a TLS). Chitsanzo cholowa (mwachitsanzo.com domain): 
    smtp._tls.example.com. 300 IN TXT Β«v=TLSRPTv1;rua=mailto:[email protected]Β»

    Cholembachi chikulangiza omwe amatumiza makalata kutumiza malipoti owerengera pakugwiritsa ntchito TLS mu SMTP ku [email protected].

    Yang'anirani malipoti kwa masiku angapo kuti muwonetsetse kuti palibe zolakwika.

  4. Sindikizani mfundo za MTA-STS pa HTTPS. Ndondomekoyi imasindikizidwa ngati fayilo yolemba ndi CRLF zoletsa mzere ndi malo. 
    https://mta-sts.example.com/.well-known/mta-sts.txt

    Ndondomeko yachitsanzo:

    version: STSv1
mode: enforce
mx: mxs.mail.ru
mx: emx.mail.ru
mx: mx2.corp.mail.ru
max_age: 86400

    Gawo la mtunduwo lili ndi mtundu wa ndondomekoyi (panopa STSv1), Mode imakhazikitsa njira yogwiritsira ntchito ndondomeko, kuyesa - kuyesa (ndondomeko sikugwiritsidwa ntchito), tsatirani - "kulimbana" mode. Choyamba sindikizani ndondomekoyi ndi mode: kuyesa, ngati palibe mavuto ndi ndondomekoyi mumayendedwe oyesera, pakapita nthawi mukhoza kusintha kuti mukhale: kukakamiza.

    Mu mx, mndandanda wamaseva onse omwe angalandire makalata a domeni yanu watchulidwa (seva iliyonse iyenera kukhala ndi satifiketi yokonzedwa kuti igwirizane ndi dzina lotchulidwa mu mx). Max_age imatchula nthawi yosungiramo mfundo (ndondomeko yokumbukiridwa ikagwiritsidwa ntchito ngakhale wowukirayo ataletsa kutumiza kapena kuipitsa mbiri ya DNS panthawi ya caching, mutha kuwonetsa kufunika kopemphanso ndondomekoyi posintha mta-sts DNS mbiri).

  5. Sindikizani mbiri ya TXT mu DNS:  
    _mta-sts.example.com. TXT β€œv=STS1; id=someid;”

    Chizindikiritso chokhazikika (mwachitsanzo, chidindo cha nthawi) chingagwiritsidwe ntchito pagawo la id; mfundo ikasintha, iyenera kusintha, izi zimalola otumiza kumvetsetsa kuti akuyenera kupemphanso ndondomeko yosungidwa (ngati chizindikiritso ndi chosiyana ndi chosungidwa chimodzi).

Thandizo la MTA-STS kumbali yotumiza

Mpaka pano ndizoyipa ndi iye, chifukwa ... mwatsopano muyezo.

Monga mawu omaliza onena za "mandatory TLS"

Posachedwapa, olamulira akhala akuyang'anitsitsa chitetezo cha imelo (ndipo ndi chinthu chabwino). Mwachitsanzo, DMARC ndi yovomerezeka kwa mabungwe onse a boma ku United States ndipo ikufunika kwambiri m'magulu azachuma, ndi kulowa kwa muyezo kufika 90% m'madera olamulidwa. Tsopano olamulira ena amafuna kukhazikitsidwa kwa "TLS yovomerezeka" ndi madera amtundu uliwonse, koma njira yowonetsetsa kuti "TLS yovomerezeka" sinafotokozedwe ndipo pochita izi nthawi zambiri zimakhazikitsidwa m'njira yomwe sikuteteza ngakhale pang'ono kuukira kwenikweni komwe kuli kale. zoperekedwa munjira monga DANE kapena MTA-STS.

Ngati olamulira amafuna kukhazikitsidwa kwa "TLS yovomerezeka" yokhala ndi madera osiyana, timalimbikitsa kuganizira za MTA-STS kapena analogue yake yapang'ono ngati njira yoyenera kwambiri, imachotsa kufunikira kokhazikitsa zotetezedwa pa domain iliyonse padera. Ngati mukukumana ndi zovuta kukhazikitsa gawo la kasitomala la MTA-STS (mpaka pulogalamuyo italandira chithandizo chofala, atero), titha kulangiza njira iyi:

  1. Sindikizani mfundo za MTA-STS ndi/kapena zolemba za DANE (DANE ndi zomveka ngati DNSSEC yayatsidwa kale kudera lanu, ndi MTA-STS mulimonse momwe zingakhalire), izi zidzateteza kuchuluka kwa magalimoto komwe mukupita ndikuchotsa kufunikira kofunsa maimelo ena. kukonza TLS yovomerezeka ya domeni yanu ngati maimelo amathandizira kale MTA-STS ndi/kapena DANE.
  2. Pa mautumiki akuluakulu a imelo, yesetsani "analogi" ya MTA-STS kupyolera muzosintha zosiyana zamtundu uliwonse, zomwe zidzakonza MX yogwiritsidwa ntchito potumiza makalata ndipo idzafunika kutsimikiziridwa kovomerezeka kwa satifiketi ya TLS. Ngati madambwe atulutsa kale mfundo za MTA-STS, izi zitha kuchitika mopanda ululu. Payokha, kuloleza TLS yovomerezeka pa domain popanda kukonza zolumikizira ndikutsimikizira satifiketi yake sikuthandiza pachitetezo ndipo sikuwonjezera chilichonse pamakina omwe alipo a STARTTLS.

Source: www.habr.com

Kuwonjezera ndemanga