Ngamafuphi, i-MTA-STS iyindlela yokuvikela ngokwengeziwe ama-imeyili ukuthi angabanjwa (okungukuthi, ukuhlasela kwe-man-in-the-middle aka MitM) lapho ethunyelwa phakathi kwamaseva e-imeyili. Ixazulula kancane izinkinga zefa lezivumelwano ze-imeyili futhi ichazwa ku-RFC 8461 evamile yakamuva. I-Mail.ru iyisevisi yemeyili yokuqala enkulu ku-RuNet ukusebenzisa leli zinga. Futhi kuchazwa ngokuningiliziwe ngaphansi kokunqunywa.
Iyiphi inkinga exazululwa yi-MTA-STS?
Ngokomlando, amaphrothokholi e-imeyili (i-SMTP, i-POP3, i-IMAP) ayedlulisela ulwazi ngombhalo ocacile, okwenze kwaba nokwenzeka ukulinqamula, isibonelo, lapho ufinyelela isiteshi sokuxhumana.
Ibukeka kanjani indlela yokuletha incwadi isuka komunye umsebenzisi iye komunye:
Ngokomlando, ukuhlasela kwe-MitM kwakungenzeka kuzo zonke izindawo lapho kuthunyelwa khona imeyili.
I-RFC 8314 idinga ukusetshenziswa kwe-TLS phakathi kwesicelo somsebenzisi wemeyili (MUA) kanye neseva yemeyili. Uma iseva yakho kanye nezinhlelo zokusebenza zemeyili ozisebenzisayo zithobela i-RFC 8314, kusho ukuthi (ikakhulukazi) ususe amathuba okuhlasela kwe-Man-in-the-Middle phakathi komsebenzisi neziphakeli zemeyili.
Ukulandela izinqubo ezivame ukwamukelwa (okubekwe i-RFC 8314) kuqeda ukuhlasela eduze komsebenzisi:
Amaseva e-imeyili e-Mail.ru athobelana ne-RFC 8314 ngisho nangaphambi kokuba izinga lamukelwe; empeleni, ivele ithwebule izinqubo ezamukelwe kakade, futhi akuzange kudingeke ukuthi silungise noma yini eyengeziwe. Kodwa, uma iseva yakho yemeyili isavumela abasebenzisi ukusebenzisa izivumelwano ezingavikelekile, qiniseka ukuthi usebenzisa izincomo zaleli zinga, ngoba Kungenzeka ukuthi, okungenani abanye babasebenzisi bakho basebenza ngemeyili ngaphandle kokubethela, noma ngabe uyayisekela.
Iklayenti lemeyili lihlala lisebenza neseva yemeyili efanayo yenhlangano efanayo. Futhi ungaphoqa bonke abasebenzisi ukuthi baxhume ngendlela evikelekile, bese ukwenze kungenzeki ngokobuchwepheshe kubasebenzisi abangavikelekile ukuthi baxhume (yilokhu kanye okudingwa yi-RFC 8314). Lokhu ngezinye izikhathi kunzima, kodwa kuyenzeka. Ukuhamba kwezimoto phakathi kwamaseva e-imeyili kusenzima kakhulu. Amaseva awezinhlangano ezihlukene futhi avame ukusetshenziswa kumodi "yokusetha futhi ukhohlwe", okwenza kube nzima ukushintshela kuphrothokholi evikelekile ngesikhathi esisodwa ngaphandle kokuphula uxhumano. I-SMTP kudala ihlinzeka ngesandiso se-STARTTLS, esivumela amaseva asekela ukubethela ukuthi ashintshele ku-TLS. Kodwa umhlaseli onekhono lokuthonya ithrafikhi "anganqamula" ulwazi mayelana nokusekelwa kwalo myalo futhi aphoqelele iziphakeli ukuthi zixhumane zisebenzisa iphrothokholi yombhalo ongenalutho (lokho okubizwa ngokuthi ukuhlaselwa kokwehlisa). Ngesizathu esifanayo, i-STARTTLS ngokuvamile ayikuhloli ukufaneleka kwesitifiketi (isitifiketi esingathenjwa singavikela ekuhlaselweni okwenziwayo, futhi lokhu akukubi ngaphezu kokuthumela umlayezo ngombhalo ocacile). Ngakho-ke, i-STARTTLS ivikela kuphela ekulaleleni okwenziwayo.
I-MTA-STS iqeda kancane inkinga yokubamba izinhlamvu phakathi kwamaseva e-imeyili, lapho umhlaseli enekhono lokuthonya ithrafikhi. Uma isizinda somamukeli sishicilela inqubomgomo ye-MTA-STS futhi iseva yomthumeli isekela i-MTA-STS, izothumela kuphela i-imeyili ngoxhumo lwe-TLS, kuphela kumaseva achazwe inqubomgomo, futhi kuphela ngokuqinisekiswa kwesitifiketi seseva.
Kungani ngokwengxenye? I-MTA-STS isebenza kuphela uma zombili izinhlangothi zikunakekele ukusebenzisa leli zinga, futhi i-MTA-STS ayivikeli ezimeni lapho umhlaseli ekwazi ukuthola isitifiketi sesizinda esivumelekile kwenye yama-CA omphakathi.
Isebenza kanjani i-MTA-STS
Umemukeli
- Ilungiselela usekelo lwe-STARTTLS ngesitifiketi esivumelekile kuseva yemeyili.
- Ishicilela inqubomgomo ye-MTA-STS nge-HTTPS; isizinda esikhethekile se-mta-sts nendlela ekhethekile eyaziwa kakhulu isetshenziselwa ukushicilelwa, isibonelo.
https://mta-sts.mail.ru/.well-known/mta-sts.txt. Inqubomgomo iqukethe uhlu lwamaseva e-imeyili (mx) anelungelo lokwamukela i-imeyili yalesi sizinda. - Ishicilela irekhodi elikhethekile le-TXT _mta-sts ku-DNS ngenguqulo yenqubomgomo. Uma inqubomgomo ishintsha, lokhu okufakile kufanele kubuyekezwe (lokhu kubonisa umthumeli ukuthi abuze kabusha inqubomgomo). Ngokwesibonelo,
_mta-sts.mail.ru. TXT "v=STSv1; id=20200303T120000;"
Umthumeli
Umthumeli ucela irekhodi le-DNS le-_mta-sts, futhi uma litholakala, wenza isicelo senqubomgomo nge-HTTPS (ehlola isitifiketi). Inqubomgomo ewumphumela ifakwe kunqolobane (uma umhlaseli evimba ukufinyelela kuyo noma aphange irekhodi le-DNS).
Lapho uthumela imeyili, ihlolwa ukuthi:
- iseva okulethwa kuyo imeyili ikunqubomgomo;
- iseva yamukela imeyili isebenzisa i-TLS (STARTTLS) futhi inesitifiketi esivumelekile.
Izinzuzo ze-MTA-STS
I-MTA-STS isebenzisa ubuchwepheshe osebuvele busetshenziswa ezinhlanganweni eziningi (SMTP+STARTTLS, HTTPS, DNS). Ukuze kusetshenziswe ohlangothini lomamukeli, akukho usekelo lwesofthiwe olukhethekile oludingekayo.
Ukungalungi kwe-MTA-STS
Kuyadingeka ukuqapha ukufaneleka kwesitifiketi sewebhu neseseva yemeyili, ukuxhumana kwamagama, nokuvuselelwa ngesikhathi. Izinkinga ngesitifiketi zizoholela ekutheni i-imeyili ingakwazi ukuthunyelwa.
Ohlangothini lomthumeli, i-MTA esekela izinqubomgomo ze-MTA-STS iyadingeka; okwamanje, i-MTA-STS ayisekelwe ngaphandle kwebhokisi le-MTA.
I-MTA-STS isebenzisa uhlu lwezimpande ezithenjwayo ze-CA.
I-MTA-STS ayivikeli ekuhlaselweni lapho umhlaseli esebenzisa khona isitifiketi esivumelekile. Ezimweni eziningi, i-MitM eduze neseva isho ikhono lokukhipha isitifiketi. Ukuhlasela okunjalo kungatholwa kusetshenziswa Isitifiketi Sokukhanyela. Ngakho-ke, ngokuvamile, i-MTA-STS iyanciphisa, kodwa ayikuqedi ngokuphelele, ukuthi kungenzeka yini ukuvinjwa kwethrafikhi.
Amaphuzu amabili okugcina enza i-MTA-STS ivikeleke kancane kunezinga eliqhudelanayo le-DANE le-SMTP (RFC 7672), kodwa lithembeke kakhulu ngokobuchwepheshe, i.e. ku-MTA-STS kunethuba eliphansi lokuthi incwadi ngeke ilethwe ngenxa yezinkinga zobuchwepheshe ezibangelwa ukuqaliswa kwezinga.
Izinga lokuncintisana - DANE
I-DANE isebenzisa i-DNSSEC ukushicilela ulwazi lwesitifiketi futhi ayidingi ukwethemba iziphathimandla zesitifiketi sangaphandle, okuvikeleke kakhulu. Kodwa ukusetshenziswa kwe-DNSSEC ngokuvamile kuvame ukuholela ekuhlulekeni kwezobuchwepheshe, ngokusekelwe ezibalweni zeminyaka eminingana yokusetshenziswa (yize ngokuvamile kukhona ukuthambekela okuhle ekuthembekeni kwe-DNSSEC nokusekelwa kwayo kobuchwepheshe). Ukuze kusetshenziswe i-DANE ku-SMTP ohlangothini lomamukeli, ukuba khona kwe-DNSSEC yendawo ye-DNS kuyisibopho, futhi ukusekelwa okulungile kwe-NSEC/NSEC3 kubalulekile ku-DANE, okukhona ngayo izinkinga zesistimu ku-DNSSEC.
Uma i-DNSSEC ingalungiselelwe kahle, ingaholela ekuhlulekeni kokulethwa kwemeyili uma uhlangothi lokuthumela lusekela i-DANE, ngisho noma uhlangothi olutholayo lungazi lutho ngayo. Ngakho-ke, naphezu kweqiniso lokuthi i-DANE iyindinganiso endala futhi evikelekile kakhudlwana futhi isivele isekelwa kwenye isofthiwe yeseva ohlangothini lomthumeli, empeleni ukungena kwayo kuhlala kungabalulekile, izinhlangano eziningi azikakulungeli ukuyisebenzisa ngenxa yesidingo sokusebenzisa i-DNSSEC, lokhu kubambezele kakhulu ukuqaliswa kwe-DANE kuyo yonke leyo minyaka izinga belikhona.
I-DANE ne-MTA-STS azingqubuzani futhi zingasetshenziswa ndawonye.
Kuyini ngosekelo lwe-MTA-STS ku-Mail.ru Mail?
I-Mail.ru ibishicilela inqubomgomo ye-MTA-STS yazo zonke izizinda ezinkulu isikhathi eside. Njengamanje sisebenzisa ingxenye yekhasimende yezinga. Ngesikhathi sokubhala, izinqubomgomo zisetshenziswa kumodi engavimbeli (uma ukulethwa kuvinjelwe inqubomgomo, incwadi izolethwa ngeseva "eyisipele" ngaphandle kokusebenzisa izinqubomgomo), bese imodi yokuvimbela izophoqeleka engxenyeni encane. yethrafikhi ye-SMTP ephumayo, kancane kancane ku-100% wethrafikhi kuzoba Ukuqiniswa kwezinqubomgomo kuyasekelwa.
Ubani omunye oweseka izinga?
Kuze kube manje, izinqubomgomo ze-MTA-STS zishicilela cishe u-0.05% wezizinda ezisebenzayo, kodwa, nokho, sezivele zivikela umthamo omkhulu wethrafikhi yemeyili, ngoba Izinga lisekelwa abadlali abakhulu - i-Google, iComcast kanye ne-Verizon ngokwengxenye (AOL, Yahoo). Ezinye izinsiza zeposi eziningi zimemezele ukuthi ukwesekwa kwaleli zinga kuzosetshenziswa maduze nje.
Lokhu kuzongithinta kanjani?
Hhayi ngaphandle kokuthi isizinda sakho sishicilela inqubomgomo ye-MTA-STS. Uma ushicilela inqubomgomo, ama-imeyili wabasebenzisi beseva yakho yemeyili azovikeleka kangcono ekunqandeni.
Ngiyisebenzisa kanjani i-MTA-STS?
Usekelo lwe-MTA-STS ohlangothini lomamukeli
Kwanele ukushicilela inqubomgomo nge-HTTPS namarekhodi ku-DNS, ulungiselele isitifiketi esivumelekile esivela kwelinye lama-CA athembekile (Asibethele singenzeka) se-STARTTLS ku-MTA (i-STARTTLS isekelwa kuwo wonke ama-MTA esimanje), akukho usekelo olukhethekile oluvela ku- I-MTA iyadingeka.
Isinyathelo ngesinyathelo, kubonakala kanje:
- Lungiselela i-STARTTLS ku-MTA oyisebenzisayo (postfix, exim, sendmail, Microsoft Exchange, njll.).
- Qiniseka ukuthi usebenzisa isitifiketi esivumelekile (esikhishwe yi-CA ethenjwayo, esingaphelelwanga isikhathi, isihloko sesitifiketi sifana nerekhodi le-MX eliletha imeyili kusizinda sakho).
- Lungiselela irekhodi le-TLS-RPT lapho kuzolethwa khona imibiko yesicelo senqubomgomo (ngamasevisi asekela ukuthumela imibiko ye-TLS). Isibonelo sokufakiwe (ngokwesizinda se-example.com):
smtp._tls.example.com. 300 IN TXT Β«v=TLSRPTv1;rua=mailto:[email protected]Β»Lokhu okufakiwe kuyala abathumeli bemeyili ukuthi bathumele imibiko yezibalo ngokusetshenziswa kwe-TLS ku-SMTP
[email protected].Gada imibiko izinsuku ezimbalwa ukuze uqiniseke ukuthi awekho amaphutha.
- Shicilela inqubomgomo ye-MTA-STS nge-HTTPS. Inqubomgomo ishicilelwa njengefayela lombhalo elinezinqamuli zomugqa we-CRLF ngendawo.
https://mta-sts.example.com/.well-known/mta-sts.txtIsibonelo senqubomgomo:
version: STSv1 mode: enforce mx: mxs.mail.ru mx: emx.mail.ru mx: mx2.corp.mail.ru max_age: 86400Inkambu yenguqulo iqukethe inguqulo yenqubomgomo (okwamanje
STSv1), Imodi isetha imodi yesicelo senqubomgomo, ukuhlola β imodi yokuhlola (inqubomgomo ayisetshenziswa), phoqelela β imodi βyokulwaβ. Qala ngokushicilela inqubomgomo ngemodi: ukuhlola, uma zingekho izinkinga ngenqubomgomo kumodi yokuhlola, ngemva kwesikhashana ungashintshela kumodi: sebenzisa.Ku-mx, uhlu lwazo zonke iziphakeli zemeyili ezingamukela imeyili yesizinda sakho lucacisiwe (iseva ngayinye kufanele ibe nesitifiketi esilungisiwe esifana negama elicaciswe ku-mx). I-Max_age icacisa isikhathi sokugcinwa kwesikhashana senqubomgomo (uma inqubomgomo ekhunjulwayo izosetshenziswa ngisho noma umhlaseli evimba ukulethwa kwayo noma onakalise amarekhodi e-DNS phakathi nesikhathi sokulondoloza inqolobane, ungabonisa isidingo sokuphinda ucele inqubomgomo ngokushintsha i-mta-sts DNS irekhodi).
- Shicilela irekhodi le-TXT ku-DNS:
_mta-sts.example.com. TXT βv=STS1; id=someid;βIsihlonzi esinganaki (isibonelo, isitembu sesikhathi) singasetshenziswa kunkundla ye-id; uma inqubomgomo ishintsha, kufanele ishintshe, lokhu kuvumela abathumeli ukuthi baqonde ukuthi badinga ukuphinda bacele inqubomgomo efakwe kunqolobane (uma isihlonzi sihlukile okugcinwe kunqolobane).
Usekelo lwe-MTA-STS ohlangothini lomthumeli
Kuze kube manje kubi kuye, ngoba... izinga elisha.
- I-Exim - akukho usekelo olwakhelwe ngaphakathi, kuneskripthi senkampani yangaphandle
- I-Postfix - akukho ukusekelwa okwakhelwe ngaphakathi, kuneskripthi esivela eceleni esichazwe ngokuningiliziwe ku-HabrΓ©
Njengegama elilandelayo mayelana "ne-TLS edingekayo"
Muva nje, abalawuli bebenaka ukuphepha kwe-imeyili (futhi lokho kuyinto enhle). Isibonelo, i-DMARC iyisibopho kuzo zonke izikhungo zikahulumeni e-United States futhi iya ngokuya idingeka emkhakheni wezezimali, njengoba ukungena kwezinga kufinyelela ku-90% ezindaweni ezilawulwayo. Manje ezinye izilawuli zidinga ukuqaliswa "kwe-TLS eyisibopho" ngezizinda ngazinye, kodwa indlela yokuqinisekisa ukuthi "i-TLS eyisibopho" ayichazwanga futhi ngokwenza lokhu kulungiselelwa kuvame ukusetshenziswa ngendlela engavikeli ngisho nakancane ekuhlaselweni kwangempela osekuvele kukhona. ehlinzekelwe ezinhlotsheni ezifana ne-DANE noma i-MTA-STS.
Uma isilawuli sidinga ukuqaliswa "kwe-TLS eyisibopho" enezizinda ezihlukene, sincoma ukuthi ucabangele i-MTA-STS noma ingxenye yayo ye-analogue njengendlela efanelekile kakhulu, iqeda isidingo sokwenza izilungiselelo ezivikelekile zesizinda ngasinye ngokuhlukile. Uma unobunzima bokusebenzisa ingxenye yeklayenti ye-MTA-STS (kuze kube yilapho iphrothokholi ithola ukwesekwa okubanzi, cishe bayokwenza), singancoma le ndlela:
- Shicilela inqubomgomo ye-MTA-STS kanye/noma amarekhodi e-DANE (i-DANE yenza umqondo kuphela uma i-DNSSEC isivele inikwe amandla esizindeni sakho, kanye ne-MTA-STS kunoma isiphi isimo), lokhu kuzovikela ithrafikhi eya ngakuwe futhi kuqede isidingo sokubuza ezinye izinsiza zemeyili. ukuze ulungiselele i-TLS eyisibopho sesizinda sakho uma isevisi yemeyili isivele isekela i-MTA-STS kanye/noma i-DANE.
- Kumasevisi amakhulu e-imeyili, sebenzisa βi-analogueβ ye-MTA-STS ngezilungiselelo zokuthutha ezihlukene zesizinda ngasinye, ezizolungisa i-MX esetshenziselwa ukudlulisa imeyili futhi izodinga ukuqinisekiswa okuyisibopho kwesitifiketi se-TLS sayo. Uma izizinda sezivele zishicilela inqubomgomo ye-MTA-STS, lokhu kungenzeka kwenziwe ngaphandle kobuhlungu. Ngokwako, ukunika amandla i-TLS eyisibopho sesizinda ngaphandle kokulungisa ukudluliselwa nokuqinisekisa isitifiketi saso akusebenzi ngokombono wezokuphepha futhi akungezi lutho ezindleleni ezikhona ze-STARTTLS.
Source: www.habr.com