ProHoster > Blog > Utongi > Mail.ru mail inotanga kushandisa MTA-STS mitemo mukuedza mode

Mail.ru mail inotanga kushandisa MTA-STS mitemo mukuedza mode

Mail.ru mail inotanga kushandisa MTA-STS mitemo mukuedza mode

Muchidimbu, MTA-STS inzira yekuwedzera kuchengetedza maemail kubva pakubatwa (kureva, man-in-the-pakati kurwisa aka MitM) kana ichitumirwa pakati pemasevha etsamba. Inogadzirisa muchidimbu matambudziko ekuvaka eemail protocol uye inotsanangurwa mune ichangoburwa chiyero RFC 8461. Mail.ru ndiyo yekutanga mail sevhisi paRuNet kushandisa chiyero ichi. Uye inotsanangurwa zvakadzama pasi pekucheka.

Nderipi dambudziko rinogadziriswa neMTA-STS?

Nhoroondo, maemail protocol (SMTP, POP3, IMAP) aifambisa ruzivo mumavara akajeka, izvo zvakaita kuti zvikwanise kuigamuchira, semuenzaniso, kana uchiwana nzira yekutaurirana.

Ko iyo nzira yekuendesa tsamba kubva kune mumwe mushandisi kuenda kune mumwe inotaridzika sei:

Mail.ru mail inotanga kushandisa MTA-STS mitemo mukuedza mode

Nhoroondo, kurwiswa kweMitM kwaikwanisika munzvimbo dzese uko tsamba dzinotenderera.

RFC 8314 inoda kushandiswa kweTLS pakati petsamba yemushandisi application (MUA) uye sevha yetsamba. Kana sevha yako nemashandisirwo etsamba aunoshandisa achienderana neRFC 8314, saka iwe (zvikuru) wakabvisa mukana weMan-in-the-Middle kurwisa pakati pemushandisi nemaseva etsamba.

Kutevera maitiro anogamuchirwa (akamisikidzwa neRFC 8314) anobvisa kurwiswa pedyo nemushandisi:

Mail.ru mail inotanga kushandisa MTA-STS mitemo mukuedza mode

Mail.ru mail maseva anoteerana neRFC 8314 kunyangwe mwero usati wagamuchirwa; kutaura zvazviri, inongotora maitiro atogamuchirwa kare, uye isu hatina kufanira kugadzirisa chero chinhu chekuwedzera. Asi, kana mail server yako ichiri kubvumira vashandisi kushandisa zvisina kuchengeteka maprotocol, ita shuwa kuti unoshandisa zvinokurudzirwa zveiyi chiyero, nekuti. Zvingangodaro, vamwe vevashandisi vako vanoshanda netsamba isina encryption, kunyangwe iwe uchiitsigira.

Mutengi wetsamba anogara achishanda neayo mail server yesangano rimwechete. Uye iwe unogona kumanikidza vese vashandisi kuti vabatane nenzira yakachengeteka, uye wobva waita kuti zvisaite kuti vashandisi vasina kuchengeteka vabatane (izvi ndizvo chaizvo zvinodiwa neRFC 8314). Izvi dzimwe nguva zvakaoma, asi zvinogoneka. Traffic pakati pemasevha etsamba ichiri kunetsa. Masevha ndeemasangano akasiyana uye anowanzo shandiswa mu "set uye kukanganwa" modhi, izvo zvinoita kuti zvisaite kushandura kune yakachengeteka protocol kamwechete pasina kutyora kubatana. SMTP yagara ichipa iyo STARTTLS yekuwedzera, iyo inobvumira maseva anotsigira encryption kuti achinje kuTLS. Asi munhu anorwisa anokwanisa kupesvedzera traffic anogona "kucheka" ruzivo rwerutsigiro rwemurairo uyu uye kumanikidza maseva kuti ataure achishandisa plain text protocol (iyo inonzi downgrade attack). Nechikonzero chimwe chete, STARTTLS kazhinji haitarise kuve kwechokwadi kwechitupa (chitupa chisina kuvimbika chinogona kudzivirira kubva mukurwiswa kwepamhepo, uye izvi hazvina kuipa kupfuura kutumira meseji mune yakajeka mavara). Naizvozvo, STARTTLS inongodzivirira kubva pane kungoteerera chete.

MTA-STS inobvisa zvishoma dambudziko rekutora mavara pakati pemasevha eemail, kana munhu anorwisa achikwanisa kupesvedzera traffic. Kana dura remugamuchiri rikaburitsa mutemo weMTA-STS uye sevha yeanotumira inotsigira MTA-STS, inongotumira iyo email pamusoro pekubatana kweTLS, chete kumaseva anotsanangurwa nepolicy, uye chete nekuongororwa kwechitupa cheseva.

Nei zvishoma? MTA-STS inoshanda chete kana mapato ese ari maviri akangwarira kuita chiyero ichi, uye MTA-STS haidziviriri kubva kumamiriro ezvinhu apo munhu anorwisa anokwanisa kuwana chitupa chakasimba chedomendi kubva kune imwe yeruzhinji maCA.

Iyo MTA-STS inoshanda sei

Anogamuchira

  1. Inogadzirisa STARTTLS tsigiro ine chitupa chiripo pasevha yetsamba. 
  2. Inoburitsa iyo MTA-STS mutemo kuburikidza neHTTPS; yakakosha mta-sts domain uye yakakosha nzira inozivikanwa inoshandiswa kushambadza, semuenzaniso. https://mta-sts.mail.ru/.well-known/mta-sts.txt. Gwaro racho rine runyoro rwemasevha etsamba (mx) ane kodzero yekugashira tsamba dzedunhu iri.
  3. Inoburitsa yakakosha TXT rekodhi _mta-sts muDNS neshanduro yepolicy. Kana mutemo wachinja, chinyorwa ichi chinofanira kuvandudzwa (izvi zvinoratidzira mutumiri kuti abvunzezve mutemo). Semuyenzaniso, _mta-sts.mail.ru. TXT "v=STSv1; id=20200303T120000;"

Sender

Iye anotumira anokumbira _mta-sts DNS rekodhi, uye kana iripo, inoita chikumbiro chegwaro kuburikidza neHTTPS (kutarisa chitupa). Iyo inokonzeresa mutemo inochengeterwa (kana munhu anorwisa akavharira kupinda kwairi kana kukanganisa iyo DNS rekodhi).

Pakutumira tsamba, inotariswa kuti:

  • sevha iyo tsamba inotumirwa iri mugwaro;
  • sevha inogamuchira tsamba ichishandisa TLS (STARTTLS) uye ine chitupa chakakodzera.

Zvakanakira zveMTA-STS

MTA-STS inoshandisa matekinoroji akatoitwa mumasangano mazhinji (SMTP+STARTTLS, HTTPS, DNS). Kuti uite kudivi rekugamuchira, hapana yakakosha software yekutsigira chiyero inodiwa.

Zvakaipa zveMTA-STS

Izvo zvinodikanwa kuti utarise kuve kwechokwadi kwewebhu uye mail server setifiketi, kuwirirana kwemazita, uye kuvandudzwa nenguva. Zvinetso nechitupa zvinozoita kuti tsamba isakwanise kutumirwa.

Kudivi revanotumira, MTA ine rutsigiro rweMTA-STS marongero inodiwa; parizvino, MTA-STS haitsigirwe kunze kwebhokisi muMTA.

MTA-STS inoshandisa runyoro rweakavimbika mudzi CAs.

MTA-STS haidzivirire pakurwiswa uko munhu anorwisa anoshandisa chitupa chakasimba. Kazhinji, MitM padyo neseva inoreva kugona kuburitsa chitupa. Kurwiswa kwakadaro kunogona kuonekwa uchishandisa Certificate Transparency. Naizvozvo, kazhinji, MTA-STS inoderedza, asi haibvisi zvachose, mukana wekutambisa traffic.

Mapoinzi maviri ekupedzisira anoita kuti MTA-STS isachengeteke zvishoma pane inokwikwidza DANE chiyero cheSMTP (RFC 7672), asi zvakanyanya kuvimbika, i.e. yeMTA-STS pane mukana wakaderera wekuti tsamba yacho haizounzwa nekuda kwezvinetso zvehunyanzvi zvinokonzerwa nekushandiswa kwechiyero.

Kukwikwidza mwero - DANE

DANE inoshandisa DNSSEC kuburitsa ruzivo rwechitupa uye haidi kuvimba nezviremera zvezvitupa zvekunze, izvo zvakachengeteka zvakanyanya. Asi kushandiswa kweDNSSEC zvakanyanya kazhinji kunotungamira mukukundikana kwehunyanzvi, zvichibva pahuwandu hwemakore akati wandei ekushandiswa (kunyangwe paine kazhinji kacho maitiro akanaka mukuvimbika kweDNSSEC nerutsigiro rwayo rwehunyanzvi). Kushandisa DANE muSMTP kudivi rekugamuchira, kuvapo kweDNSSEC yenzvimbo yeDNS kunosungirwa, uye tsigiro chaiyo yeNSEC/NSEC3 yakakosha kuDANE, uko kune matambudziko ehurongwa muDNSSEC.

Kana DNSSEC isina kurongeka nemazvo, zvinogona kukonzera kutadza kutumira tsamba kana divi rekutumira richitsigira DANE, kunyangwe kana divi rekugamuchira risingazivi chinhu nezvazvo. Naizvozvo, zvisinei nekuti DANE ndeyekare uye yakachengeteka mwero uye yakatotsigirwa mune imwe sevha software kudivi reanotumira, kutaura zvazviri kupinda kwayo kunoramba kusingakoshi, masangano mazhinji haana kugadzirira kuishandisa nekuda kwekudiwa kwekushandisa DNSSEC, izvi zvakadzikisira zvakanyanya kuitwa kweDANE makore ese ayo chiyero chave chiripo.

DANE neMTA-STS hazvipesane uye zvinogona kushandiswa pamwechete.

Chii chine MTA-STS rutsigiro muMail.ru Mail?

Mail.ru yanga ichiburitsa mutemo weMTA-STS kune ese makuru madomasi kwenguva yakati rebei. Isu tiri kuita iyo mutengi chikamu cheiyo standard. Panguva yekunyora, marongero anoshandiswa mune isiri-yekuvhara modhi (kana kuendesa kwakavharwa nepolicy, iyo tsamba inounzwa kuburikidza ne "spare" server pasina kushandisa marongero), ipapo kuvharira maitiro kunomanikidzwa kune chikamu chidiki. yeinobuda SMTP traffic, zvishoma nezvishoma ye100% yetraffic ichave Kutevedzwa kwemitemo kunotsigirwa.

Ndiani mumwe anotsigira mwero?

Parizvino, MTA-STS marongero anoburitsa angangoita 0.05% yeanoshanda domains, asi, zvisinei, ivo vanotodzivirira vhoriyamu yakakura yetsamba traffic, nekuti. Iyo chiyero inotsigirwa nevatambi vakuru - Google, Comcast uye chikamu Verizon (AOL, Yahoo). Mamwe akawanda masevhisi eposvo akazivisa kuti tsigiro yechiyero ichaitwa munguva pfupi iri kutevera.

Izvi zvichandikanganisa sei?

Kwete kunze kwekunge domain yako yakaburitsa mutemo weMTA-STS. Kana iwe ukaburitsa mutemo, maemail evashandisi vemail server yako anozochengetedzwa zvirinani kubva pakubatwa.

Ndinoshandisa sei MTA-STS?

MTA-STS rutsigiro padivi rekugamuchira

Zvakakwana kushambadza mutemo kuburikidza neHTTPS uye marekodhi muDNS, gadzirisa chitupa chakakodzera kubva kune imwe yeCAs yakavimbika (Ngatinyorei zvinogoneka) yeSTARTTLS muMTA (STARTTLS inotsigirwa mune ese azvino MTAs), hapana rubatsiro rwakakosha kubva MTA inodiwa.

Nhanho nhanho, zvinoita seizvi:

  1. Gadzirisa STARTTLS muMTA yauri kushandisa (postfix, exim, sendmail, Microsoft Exchange, nezvimwewo).
  2. Ita shuwa kuti uri kushandisa chitupa chakasimba (chakapihwa neCA yakavimbika, isina kupera nguva, nyaya yechitupa inoenderana neMX rekodhi inoendesa tsamba kune yako domain).
  3. Rongedza rekodhi reTLS-RPT kuburikidza neinozounzwa mishumo yekushandisa (nesevhisi inotsigira kutumira TLS mishumo). Muenzaniso wekupinda (yemuenzaniso.com domain): 
    smtp._tls.example.com. 300 IN TXT Β«v=TLSRPTv1;rua=mailto:[email protected]Β»

    Ichi chinyorwa chinoraira vanotumira tsamba kuti vatumire zvinyorwa zvenhamba pamusoro pekushandiswa kweTLS muSMTP kune [email protected].

    Tarisa mishumo kwemazuva akati wandei kuti uone kuti hapana zvikanganiso.

  4. Shambadzira iyo MTA-STS mutemo pamusoro peHTTPS. Iyo mutemo inoburitswa sechinyorwa faira ine CRLF mutsara terminators nenzvimbo. 
    https://mta-sts.example.com/.well-known/mta-sts.txt

    Muenzaniso mutemo:

    version: STSv1
mode: enforce
mx: mxs.mail.ru
mx: emx.mail.ru
mx: mx2.corp.mail.ru
max_age: 86400

    Iyo vhezheni ndima ine vhezheni yepolicy (ikozvino STSv1), Mode inoseta iyo polisi yekushandisa modhi, kuyedza - bvunzo modhi (iyo mutemo haina kushandiswa), simbisa - "kurwisa" maitiro. Kutanga kushambadza mutemo nemodhiyo: kuyedza, kana pasina matambudziko nepolicy muyedzo mode, mushure mechinguva unogona kushandura kumodhi: simbisa.

    Mumx, runyoro rwemasevha ese etsamba anogona kugamuchira tsamba dzedomeini yako anotsanangurwa (sevha yega yega inofanirwa kunge iine chitupa chakagadziridzwa chinoenderana nezita rakatsanangurwa mumx). Max_age inotsanangura iyo caching nguva yepolicy (kana mutemo unoyeukwa uchinge washandiswa kunyangwe munhu anorwisa akavharisa kuendesa kwayo kana kukanganisa marekodhi eDNS panguva ye caching, unogona kusaina kukosha kwekukumbira iyo policy zvakare nekuchinja mta-sts DNS. rekodhi).

  5. Shambadzira rekodhi reTXT muDNS:  
    _mta-sts.example.com. TXT β€œv=STS1; id=someid;”

    Chiziviso chinopokana (semuenzaniso, chidhindo chenguva) chinogona kushandiswa mundima yeid; kana mutemo wachinja, unofanirwa kuchinja, izvi zvinobvumira vanotumira kuti vanzwisise kuti vanofanirwa kukumbira zvakare cached policy (kana identifier yakasiyana neiyo cached one).

MTA-STS tsigiro padivi reanotumira

Parizvino zvakaipa naye, nekuti ... fresh standard.

Sekutevera nezve "inosungirwa TLS"

Munguva pfupi yapfuura, vatongi vanga vachiteerera kune email kuchengetedza (uye icho chinhu chakanaka). Semuenzaniso, DMARC inosungirwa kumasangano ese ehurumende muUnited States uye iri kuwedzera kudiwa muchikamu chemari, nekupinzwa kwechiyero kunosvika 90% munzvimbo dzakadzorwa. Iye zvino mamwe vatongi vanoda kuitiswa kwe "inosungirwa TLS" ine madomasi ega, asi nzira yekuona kuti "inosungirwa TLS" haina kutsanangurwa uye mukuita iyi gadziriro inowanzoitwa nenzira isingatombodziviriri kurwiswa chaiko kwatove. inopihwa mumichina yakaita seDANE kana MTA-STS.

Kana iyo regulator ichida kuisirwa kwe "inosungirwa TLS" ine madomasi akaparadzana, isu tinokurudzira kufunga nezveMTA-STS kana chikamu cheanalogue yayo seyakanyanya kufanirwa nzira, inobvisa kudikanwa kwekuita zvigadziriso zvakachengeteka kune imwe neimwe domain zvakasiyana. Kana iwe uchinetseka kuita chikamu chemutengi cheMTA-STS (kusvikira protocol yawana rutsigiro rwakapararira, vangangodaro), tinogona kukurudzira nzira iyi:

  1. Shingairira mutemo weMTA-STS uye/kana marekodhi eDANE (DANE ine musoro chete kana DNSSEC yatogoneswa kudura rako, uye MTA-STS chero zvakadaro), izvi zvinodzivirira traffic munzira yako uye kubvisa kudiwa kwekubvunza mamwe masevhisi etsamba. kugadzirisa TLS inosungirwa kudura rako kana sevhisi yetsamba ichitotsigira MTA-STS uye/kana DANE.
  2. Kumasevhisi makuru eemail, shandisa "analogue" yeMTA-STS kuburikidza neyakasiyana marongero ekufambisa kune yega yega dura, iyo inogadzirisa iyo MX inoshandiswa pakutumira tsamba uye inoda kutenderwa kusimbiswa kweTLS chitupa chayo. Kana iwo madomasi akatoburitsa mutemo weMTA-STS, izvi zvinogona kuitwa zvisingarwadze. Nayo pachayo, kugonesa TLS inosungirwa yedomendi pasina kugadzirisa relay uye kuonesa chitupa chayo haishande kubva pakuchengetedza nzvimbo yekuona uye haiwedzere chero chinhu kune iripo STARTTLS nzira.

Source: www.habr.com

Voeg