Ngamafutshane, i-MTA-STS yindlela yokukhusela ngakumbi i-imeyile ekuthinteleni (oko kukuthi, ukuhlaselwa kwendoda-ephakathi kwe-aka MitM) xa ithunyelwa phakathi kweeseva zeposi. Isombulula ngokuyinxenye iingxaki zelifa leeprothokholi ze-imeyile kwaye ichazwe kumgangatho wakutsha nje we-RFC 8461. I-Mail.ru yinkonzo yokuqala yeposi enkulu kwi-RuNet ukuphumeza lo mgangatho. Kwaye ichazwe ngokubanzi phantsi kwe-cut.
Yeyiphi ingxaki esonjululwa yi-MTA-STS?
Ngokomlando, iiprothokholi ze-imeyile (i-SMTP, i-POP3, i-IMAP) idlulise ulwazi kwisicatshulwa esicacileyo, okwenza kube lula ukuyifumana, umzekelo, xa ufikelela kumnxeba wonxibelelwano.
Ingaba indlela yokuhambisa ileta ukusuka komnye umsebenzisi ukuya komnye ijongeka njani:
Ngokwembali, uhlaselo lweMitM lwalunokwenzeka kuzo zonke iindawo apho imeyile ijikeleza khona.
I-RFC 8314 ifuna ukusetyenziswa kwe-TLS phakathi kwesicelo somsebenzisi wemeyile (MUA) kunye neseva yemeyile. Ukuba umncedisi wakho kunye nezicelo zeposi ozisebenzisayo ziyahambelana ne-RFC 8314, ngoko uye (ubukhulu becala) ucimile ukuba nokwenzeka kohlaselo lwe-Man-in-the-Middle phakathi komsebenzisi kunye neeseva zeposi.
Ukulandela izenzo ezamkelwe ngokubanzi (ezimiselwe yi-RFC 8314) kuphelisa uhlaselo olukufutshane nomsebenzisi:
Iiseva ze-imeyile ze-Mail.ru zihambelana ne-RFC 8314 nangaphambi kokuba umgangatho wamkelwe; enyanisweni, ithatha ngokulula iinkqubo esele zamkelwe, kwaye akuzange kufuneke siqwalasele nantoni na eyongezelelweyo. Kodwa, ukuba iseva yakho yemeyile isavumela abasebenzisi ukusebenzisa iiprothokholi ezingakhuselekanga, qiniseka ukuba uphumeza iingcebiso zalo mgangatho, kuba Okunokwenzeka, ubuncinci abanye babasebenzisi bakho basebenza ngeposi ngaphandle koguqulelo oluntsonkothileyo, nokuba uyayixhasa.
Umxhasi weposi uhlala esebenza ngomncedisi weposi ofanayo wombutho omnye. Kwaye unokunyanzela bonke abasebenzisi ukuba baqhagamshele ngendlela ekhuselekileyo, kwaye emva koko wenze ukuba kungenzeki ngokobuchwepheshe kubasebenzisi abangakhuselekanga ukuba baqhagamshele (le yeyona nto ifunwa yiRFC 8314). Oku ngamanye amaxesha kunzima, kodwa kunokwenzeka. Itrafiki phakathi kweeseva zemeyile isenzima ngakumbi. Iiseva zingamalungu emibutho eyahlukeneyo kwaye zihlala zisetyenziswa kwimowudi "yoseti kwaye ulibale", nto leyo eyenza kube nzima ukutshintshela kwiprotocol ekhuselekileyo kanye ngaphandle kokwaphula unxibelelwano. I-SMTP kudala ibonelela ngolwandiso lwe-STARTTLS, oluvumela abancedisi abaxhasa uguqulelo oluntsonkothileyo ukuba batshintshele kwi-TLS. Kodwa umhlaseli onamandla okuphembelela i-traffic "unokunqumla" ulwazi malunga nenkxaso yalo myalelo kwaye anyanzelise abancedisi ukuba banxibelelane ngokusebenzisa i-protocol yombhalo ocacileyo (okubizwa ngokuba yi-downgrade attack). Ngesizathu esifanayo, i-STARTTLS ngokuqhelekileyo ayijongi ukunyaniseka kwesatifikethi (isatifikethi esingathembekanga sinokukhusela kuhlaselo lwe-passive, kwaye oku akubi nakakhulu kunokuthumela umyalezo kumbhalo ocacileyo). Ke ngoko, i-STARTTLS ikhusela kuphela ekulaleleni.
I-MTA-STS iphelisa ngokuyinxenye ingxaki yokuthintela iileta phakathi kweeseva zeposi, xa umhlaseli ekwazi ukuphembelela ngokusebenzayo i-traffic. Ukuba i-domain yomamkeli ipapasha ipolisi ye-MTA-STS kunye nomncedisi womthumeli uxhasa i-MTA-STS, iyakuthumela kuphela i-imeyile ngoqhagamshelwano lwe-TLS, kuphela kwiiseva ezichazwe ngumgaqo-nkqubo, kwaye kuphela ngesiqinisekiso sesatifikethi somncedisi.
Kutheni ngokuyinxenye? I-MTA-STS isebenza kuphela ukuba amaqela omabini athathele ingqalelo ukuphumeza lo mgangatho, kwaye i-MTA-STS ayikhuseli kwiimeko apho umhlaseli ekwazi ukufumana isatifikethi sesizinda esisebenzayo kwenye yee-CAs zoluntu.
Isebenza njani i-MTA-STS
Umamkeli
- Iqwalasela inkxaso ye-STARTTLS enesatifikethi esisebenzayo kwiseva yemeyile.
- Upapasha umgaqo-nkqubo we-MTA-STS nge-HTTPS indawo ekhethekileyo ye-mta-sts kunye nendlela ekhethekileyo eyaziwayo isetyenziselwa upapasho, umzekelo.
https://mta-sts.mail.ru/.well-known/mta-sts.txt. Ipolisi iqulathe uluhlu lweeseva zeposi (mx) ezinelungelo lokufumana iposi yesi thambeka. - Ipapasha irekhodi ekhethekileyo ye-TXT _mta-sts kwi-DNS ngoguqulelo lomgaqo-nkqubo. Xa umgaqo-nkqubo utshintsha, olu ngeniso kufuneka luhlaziywe (oku kubonisa umthumeli ukuba abuze kwakhona ipolisi). Umzekelo,
_mta-sts.mail.ru. TXT "v=STSv1; id=20200303T120000;"
Umthumeli
Umthumeli ucela irekhodi ye-DNS ye-_mta-sts, kwaye ukuba ikhona, yenza isicelo sepolisi nge-HTTPS (ukukhangela isatifikethi). Umgaqo-nkqubo obangelwayo ugcinwe (ukuba umhlaseli uvimba ukufikelela kuyo okanye ukonakalisa irekhodi ye-DNS).
Xa kuthunyelwa imeyile, ijongwa ukuba:
- iseva ethunyelwa kuyo imeyile ikwipolisi;
- umncedisi wamkela imeyile esebenzisa i TLS (STARTTLS) kwaye unesatifikethi esisebenzayo.
Izinto ezilungileyo zeMTA-STS
I-MTA-STS isebenzisa iteknoloji esele iphunyeziwe kwimibutho emininzi (SMTP + STARTTLS, HTTPS, DNS). Ukuphunyezwa kwicala lommkeli, akukho nkxaso yesoftware ekhethekileyo efunekayo.
Ukungalungi kwe-MTA-STS
Kuyimfuneko ukubeka iliso ukunyaniseka kwewebhu kunye nesatifikethi somncedisi we-imeyile, imbalelwano yamagama, kunye nokuhlaziywa kwangethuba. Iingxaki ngesatifikethi ziya kubangela ukuba imeyile ingakwazi ukuthunyelwa.
Kwicala lomthumeli, i-MTA enenkxaso yemigaqo-nkqubo ye-MTA-STS iyafuneka; okwangoku, i-MTA-STS ayixhaswanga ngaphandle kwebhokisi ye-MTA.
I-MTA-STS isebenzisa uluhlu lweengcambu ezithembekileyo ze-CAs.
I-MTA-STS ayikhuseli kuhlaselo apho umhlaseli asebenzisa isatifikethi esisebenzayo. Kwiimeko ezininzi, iMitM ekufutshane neseva ithetha ukukwazi ukukhupha isatifikethi. Uhlaselo olunjalo lunokubonwa kusetyenziswa iSatifikethi sokuNgafihlisi. Ngoko ke, ngokubanzi, i-MTA-STS iyanciphisa, kodwa ayiphelisi ngokupheleleyo, ukubakho kokuphazamiseka kwezithuthi.
Amanqaku amabini okugqibela enza i-MTA-STS ikhuseleke ngaphantsi kunomgangatho okhuphisanayo we-DANE we-SMTP (RFC 7672), kodwa uthembeke ngakumbi ngokobuchwepheshe, okt. kwi-MTA-STS kukho ithuba eliphantsi lokuba ileta ayiyi kuhanjiswa ngenxa yeengxaki zobuchwepheshe ezibangelwa ukuphunyezwa komgangatho.
Umgangatho okhuphisanayo - DANE
I-DANE isebenzisa i-DNSSEC ukupapasha ulwazi lwesatifikethi kwaye ayifuni ukuthembela kwabasemagunyeni besatifikethi sangaphandle, esikhuseleke ngakumbi. Kodwa ukusetyenziswa kwe-DNSSEC ngokuphawulekayo kudla ngokukhokelela ekusileleni kobugcisa, okusekwe kumanani-nkcazo kwiminyaka emininzi yokusetyenziswa (nangona kukho isiqhelo esilungileyo ekuthembekeni kwe-DNSSEC kunye nenkxaso yobugcisa). Ukuphumeza i-DANE kwi-SMTP kwicala lomamkeli, ubukho be-DNSSEC yommandla we-DNS bunyanzelekile, kwaye inkxaso echanekileyo ye-NSEC/NSEC3 ibalulekile kwi-DANE, apho kukho iingxaki zenkqubo kwi-DNSSEC.
Ukuba i-DNSSEC ayilungiswanga kakuhle, inokubangela ukusilela kokuhanjiswa kweposi ukuba icala lokuthumela lixhasa i-DANE, nokuba icala elifumanayo alazi nto ngalo. Ngoko ke, nangona i-DANE ingumgangatho omdala kwaye ukhuselekile kwaye sele ixhaswa kwisofthiwe ethile ye-server kwicala lomthumeli, ngokwenene ukungena kwayo kuhlala kungenanto, imibutho emininzi ayilungele ukuyiphumeza ngenxa yesidingo sokuphumeza i-DNSSEC, oku kuye kwacothisa kakhulu ukuphunyezwa kwe-DANE yonke loo minyaka umgangatho ubukhona.
I-DANE kunye ne-MTA-STS aziphikisani kwaye zinokusetyenziswa kunye.
Yintoni ngenkxaso ye-MTA-STS kwi-Mail.ru Mail?
I-Mail.ru ibipapasha umgaqo-nkqubo we-MTA-STS kuyo yonke imimandla emikhulu kangangexesha elithile. Okwangoku siphumeza inxalenye yeklayenti yomgangatho. Ngexesha lokubhala, imigaqo-nkqubo isetyenziswe kwimodi yokungathinteli (ukuba ukuhanjiswa kuvinjwe ngumgaqo-nkqubo, ileta iya kuhanjiswa nge-server "eyodwa" ngaphandle kokusebenzisa imigaqo-nkqubo), ngoko imodi yokuthintela iya kunyanzeliswa kwinxalenye encinci. yetrafikhi ephumayo ye-SMTP, ngokuthe chu kwi-100% yetrafikhi iya kuba Unyanzeliso lwemigaqo-nkqubo luyaxhaswa.
Ngubani omnye oxhasa umgangatho?
Ukuza kuthi ga ngoku, imigaqo-nkqubo ye-MTA-STS ipapasha malunga ne-0.05% yemimandla esebenzayo, kodwa, nangona kunjalo, sele ikhusela umthamo omkhulu we-imeyile yetrafikhi, ngenxa yokuba. Umgangatho uxhaswa ngabadlali abakhulu - iGoogle, iComcast kunye nenxalenye yeVerizon (AOL, Yahoo). Uninzi lwezinye iinkonzo zeposi zivakalise ukuba inkxaso yomgangatho iya kuphunyezwa kungekudala.
Oku kuya kundichaphazela njani?
Ngaphandle kokuba indawo yakho ipapashe ipolisi ye-MTA-STS. Ukuba upapasha umgaqo-nkqubo, ii-imeyile zabasebenzisi beseva yakho yemeyile ziya kukhuselwa ngcono ekuthinteleni.
Ndiyenza njani iMTA-STS?
Inkxaso ye-MTA-STS kwicala labamkeli
Kwanele ukupapasha umgaqo-nkqubo nge-HTTPS kunye neerekhodi kwi-DNS, uqwalasele isatifikethi esisebenzayo ukusuka kwenye yee-CAs ezithembekileyo (Makhe sibethelele kunokwenzeka) kwi-STARTTLS kwi-MTA (i-STARTTLS ixhaswa kuzo zonke ii-MTA zanamhlanje), akukho nkxaso ikhethekileyo evela I-MTA iyafuneka.
Inyathelo ngenyathelo, ibonakala ngolu hlobo:
- Qwalasela i-STARTTLS kwi-MTA oyisebenzisayo (postfix, exim, sendmail, Microsoft Exchange, njl.).
- Qinisekisa ukuba usebenzisa isatifikethi esisebenzayo (esikhutshwe yi-CA ethembekileyo, engaphelelwanga, umxholo wesatifikethi uhambelana nerekhodi ye-MX ehambisa i-imeyile kwisizinda sakho).
- Qwalasela irekhodi ye-TLS-RPT ekuza kuhanjiswa ngayo iingxelo zezicelo zomgaqo-nkqubo (ngeenkonzo ezixhasa ukuthunyelwa kweengxelo ze-TLS). Umzekelo wongeniso (umzekelo.com isizinda):
smtp._tls.example.com. 300 IN TXT Β«v=TLSRPTv1;rua=mailto:[email protected]Β»Elingeno liyalela abathumeli beposi ukuba bathumele iingxelo zeenkcukacha-manani ngokusetyenziswa kwe-TLS kwi-SMTP ku
[email protected].Beka esweni iingxelo kangangeentsuku ezininzi ukuqinisekisa ukuba akukho zimpazamo.
- Papasha umgaqo-nkqubo we-MTA-STS phezu kwe-HTTPS. Umgaqo-nkqubo upapashwa njengefayile yokubhaliweyo enezithinteli zomgca weCRLF ngendawo.
https://mta-sts.example.com/.well-known/mta-sts.txtUmzekelo womgaqo-nkqubo:
version: STSv1 mode: enforce mx: mxs.mail.ru mx: emx.mail.ru mx: mx2.corp.mail.ru max_age: 86400Indawo yoguqulelo iqulathe uguqulelo lomgaqo-nkqubo (okwangoku
STSv1), Imowudi ibeka imo yesicelo somgaqo-nkqubo, uvavanyo - imo yokuvavanya (umgaqo-nkqubo awusetyenziswanga), unyanzelise - "imodi yokulwa". Kuqala ukupapasha umgaqo-nkqubo ngemowudi: uvavanyo, ukuba akukho ngxaki ngepolisi kwimo yovavanyo, emva kwexesha ungatshintshela kwindlela: ukunyanzelisa.Kwi-mx, uluhlu lwabo bonke abancedisi beposi abanokwamkela imeyile yendawo yakho ichaziwe (umncedisi ngamnye kufuneka abe nesatifikethi esilungisiweyo esihambelana negama elikhankanyiweyo kwi-mx). I-Max_age ichaza ixesha le-caching lomgaqo-nkqubo (wakuba umgaqo-nkqubo ukhunjulwe uya kusetyenziswa nokuba umhlaseli uthintele unikezelo lwayo okanye wonakalisa iirekhodi ze-DNS ngexesha le-caching, ungabonakalisa isidingo sokucela ipolisi kwakhona ngokutshintsha i-mta-sts DNS irekhodi).
- Papasha irekhodi ye-TXT kwi-DNS:
_mta-sts.example.com. TXT βv=STS1; id=someid;βUngasebenzisa isichongi esingenasizathu (umzekelo, isitampu sexesha) kwintsimi yesazisi; igcinwe kwindawo enye).
Inkxaso ye-MTA-STS kwicala lomthumeli
Ukuza kuthi ga ngoku kubi naye, kuba... umgangatho omtsha.
- Exim - akukho nkxaso eyakhelwe-ngaphakathi, kukho iskripthi somntu wesithathu
- I-Postfix - akukho nkxaso eyakhelwe-ngaphakathi, kukho iskripthi somntu wesithathu esichazwe ngokubanzi kwiHabrΓ©
Njengomva malunga "ne-TLS efunekayo"
Kutshanje, abalawuli baye banikela ingqalelo kukhuseleko lwe-imeyile (kwaye yinto entle leyo). Ngokomzekelo, i-DMARC inyanzelekile kuzo zonke ii-arhente zikarhulumente e-United States kwaye iya ifunwa kakhulu kwicandelo lezemali, kunye nokungena komgangatho ofikelela kwi-90% kwiindawo ezilawulwayo. Ngoku abanye abalawuli bafuna ukuphunyezwa "kwe-TLS efunekayo" kunye neendawo zomntu ngamnye, kodwa indlela yokuqinisekisa "i-TLS efunekayo" ayichazwanga kwaye ekusebenzeni olu seto luhlala luphunyezwa ngendlela engakhuseli kancinci kuhlaselo lokwenyani olusele lukhona. kubonelelwe kwiindlela ezifana ne-DANE okanye i-MTA-STS.
Ukuba umlawuli ufuna ukuphunyezwa "kwe-TLS efunekayo" kunye nemimandla eyahlukeneyo, sincoma ukuba sithathele ingqalelo i-MTA-STS okanye i-analogue yayo njengeyona ndlela ifanelekileyo, isusa isidingo sokwenza izicwangciso ezikhuselekileyo kwi-domain nganye ngokwahlukileyo. Ukuba unobunzima ekuphumezeni inxalenye yomxhasi we-MTA-STS (de iprotocol ifumane inkxaso ebanzi, kunokwenzeka ukuba baya kwenza), sinokucebisa le ndlela:
- Papasha umgaqo-nkqubo we-MTA-STS kunye/okanye iirekhodi ze-DANE (i-DANE yenza ingqiqo kuphela ukuba i-DNSSEC sele yenziwe ukuba i-domain yakho isebenze, kunye ne-MTA-STS kuyo nayiphi na imeko), oku kuya kukhusela i-traffic kwicala lakho kwaye kuphelise isidingo sokubuza ezinye iinkonzo zeposi. ukuqwalasela i-TLS enyanzelekileyo yendawo yakho ukuba inkonzo yeposi sele ixhasa iMTA-STS kunye/okanye iDANE.
- Kwiinkonzo ze-imeyile ezinkulu, sebenzisa "i-analogue" ye-MTA-STS ngokusebenzisa izicwangciso zothutho ezahlukileyo kwi-domain nganye, eya kulungisa i-MX esetyenziselwa ukuthunyelwa kwe-imeyile kwaye iya kufuna ukuqinisekiswa okunyanzelekileyo kwesatifikethi se-TLS kuyo. Ukuba imimandla sele ipapashe umgaqo-nkqubo we-MTA-STS, oku kunokwenzeka ukuba kwenziwe ngaphandle kwentlungu. Ngokwayo, ukwenza i-TLS enyanzelekileyo ye-domain ngaphandle kokulungisa i-relay kunye nokuqinisekisa isatifikethi sayo ayisebenzi ukusuka kwindawo yokhuseleko yemboniselo kwaye ayongezi nto kwiindlela ezikhoyo ze-STARTTLS.
umthombo: www.habr.com