more security details
This commit is contained in:
parent
4fa58169f1
commit
bb75bd7167
1 changed files with 52 additions and 17 deletions
69
security.md
69
security.md
|
@ -25,37 +25,72 @@ User Credentials
|
||||||
|
|
||||||
The box's administrator and its (non-administrative) mail users must sometimes communicate their credentials to the box.
|
The box's administrator and its (non-administrative) mail users must sometimes communicate their credentials to the box.
|
||||||
|
|
||||||
### Console access via SSH
|
### Services behind TLS
|
||||||
|
|
||||||
Console access (e.g. via SSH) is configured by the system image used to create the box, typically from by a cloud virtual machine provider (e.g. Digital Ocean). Mail-in-a-Box does not set any console access settings, although it will warn the administrator in the System Status Checks if password-based login is turned on.
|
These services are protected by [TLS](https://en.wikipedia.org/wiki/Transport_Layer_Security):
|
||||||
|
|
||||||
The [setup guide video](https://mailinabox.email/) explains how to verify the host key fingerprint on first login. If DNSSEC is enabled at the box's domain name's registrar, the SSHFP record that the box automatically puts into DNS can also be used to verify the host key fingerprint by setting `VerifyHostKeyDNS yes` in your `ssh/.config` file or by logging in with `ssh -o VerifyHostKeyDNS=yes`.
|
|
||||||
|
|
||||||
### Other services behind TLS
|
|
||||||
|
|
||||||
Other services are protected by TLS:
|
|
||||||
|
|
||||||
* SMTP Submission (port 587). Mail users submit outbound mail through SMTP with STARTTLS on port 587.
|
* SMTP Submission (port 587). Mail users submit outbound mail through SMTP with STARTTLS on port 587.
|
||||||
* IMAP/POP (ports 993, 995). Mail users check for incoming mail through IMAP or POP over TLS.
|
* IMAP/POP (ports 993, 995). Mail users check for incoming mail through IMAP or POP over TLS.
|
||||||
* HTTPS (port 443). Webmail, the Echange/ActiveSync protocol, the administrative control panel, and any static hosted websites are accessed over HTTPS.
|
* HTTPS (port 443). Webmail, the Echange/ActiveSync protocol, the administrative control panel, and any static hosted websites are accessed over HTTPS.
|
||||||
|
|
||||||
These services all follow these rules:
|
The services all follow these rules:
|
||||||
|
|
||||||
* All of the services only offer TLSv1, TLSv1.1 and TLSv1.2 (the older SSL protocols are not offered).
|
* SSL certificates are generated with 2048-bit RSA keys and SHA-256 fingerprints.
|
||||||
* No services offer export-grade ciphers, the anonymous DH/ECDH algorithms (aNULL), or clear-text ciphers (eNULL).
|
* Only TLSv1, TLSv1.1 and TLSv1.2 are offered (the older SSL protocols are not offered).
|
||||||
* The minimum cipher key length offered is 112 bits. Diffie-Hellman ciphers use a 2048-bit key.
|
* Export-grade ciphers, the anonymous DH/ECDH algorithms (aNULL), and clear-text ciphers (eNULL) are not offered.
|
||||||
* The box provides a self-signed certificate by default. The [setup guide](https://mailinabox.email/guide.html) explains how to verify the certificate fingerprint on first login. Users are encouraged to replace the certificate with a proper CA-signed one, and when using the CSR provided by the box the certificates will use a SHA-2 hash.
|
* The minimum cipher key length offered is 112 bits. The maximum is 256 bits. Diffie-Hellman ciphers use a 2048-bit key for forward secrecy.
|
||||||
|
* The box provides a self-signed certificate by default. The [setup guide](https://mailinabox.email/guide.html) explains how to verify the certificate fingerprint on first login. Users are encouraged to replace the certificate with a proper CA-signed one.
|
||||||
|
|
||||||
Additionally:
|
Additionally:
|
||||||
|
|
||||||
* SMTP Submission (port 587) will not accept user credentials without STARTTLS. The minimum cipher key length is 128 bits.
|
* SMTP Submission (port 587) will not accept user credentials without STARTTLS (true also of SMTP on port 25 in case of client misconfiguration), and the submission port won't accept mail without encryption. The minimum cipher key length is 128 bits. (The box is of course configured not to be an open relay. User credentials are required to send outbound mail.)
|
||||||
* HTTPS (port 443): The HTTPS Strict Transport Security header is set. A redirect from HTTP to HTTPS is offered. The [Qualys SSL Labs test](https://www.ssllabs.com/ssltest) should report an A+ grade.
|
* HTTPS (port 443): The HTTPS Strict Transport Security header is set. A redirect from HTTP to HTTPS is offered. The [Qualys SSL Labs test](https://www.ssllabs.com/ssltest) should report an A+ grade.
|
||||||
|
|
||||||
For more details, see the [output of SSLyze stored in github](tests/tls_results.txt).
|
For more details, see the [output of SSLyze for these ports](tests/tls_results.txt).
|
||||||
|
|
||||||
Supported clients:
|
|
||||||
|
|
||||||
The cipher and protocol selection are chosen to support the following clients:
|
The cipher and protocol selection are chosen to support the following clients:
|
||||||
|
|
||||||
* For HTTPS: Firefox 1, Chrome 1, IE 7, Opera 5, Safari 1, Windows XP IE8, Android 2.3, Java 7.
|
* For HTTPS: Firefox 1, Chrome 1, IE 7, Opera 5, Safari 1, Windows XP IE8, Android 2.3, Java 7.
|
||||||
* For other protocols: TBD.
|
* For other protocols: TBD.
|
||||||
|
|
||||||
|
### Password Storage
|
||||||
|
|
||||||
|
The passwords for mail users are stored on disk using the [SHA512-CRYPT](http://man7.org/linux/man-pages/man3/crypt.3.html) hashing scheme.
|
||||||
|
|
||||||
|
### Console access
|
||||||
|
|
||||||
|
Console access (e.g. via SSH) is configured by the system image used to create the box, typically from by a cloud virtual machine provider (e.g. Digital Ocean). Mail-in-a-Box does not set any console access settings, although it will warn the administrator in the System Status Checks if password-based login is turned on.
|
||||||
|
|
||||||
|
The [setup guide video](https://mailinabox.email/) explains how to verify the host key fingerprint on first login.
|
||||||
|
|
||||||
|
If DNSSEC is enabled at the box's domain name's registrar, the SSHFP record that the box automatically puts into DNS can also be used to verify the host key fingerprint by setting `VerifyHostKeyDNS yes` in your `ssh/.config` file or by logging in with `ssh -o VerifyHostKeyDNS=yes`.
|
||||||
|
|
||||||
|
Outbound Mail
|
||||||
|
-------------
|
||||||
|
|
||||||
|
### Domain Policy Records
|
||||||
|
|
||||||
|
Domain policy records allow recipient MTAs to detect when the _domain_ part of incoming mail has been spoofed. All outbound mail is signed with [DKIM](https://en.wikipedia.org/wiki/DomainKeys_Identified_Mail) and "quarantine" [DMARC](https://en.wikipedia.org/wiki/DMARC) records are automatically set in DNS. Receiving MTAs that implement DMARC will automatically quarantine mail that is "From:" a domain hosted by the box but which was not sent by the box. (Strong [SPF](https://en.wikipedia.org/wiki/Sender_Policy_Framework) records are also automatically set in DNS.)
|
||||||
|
|
||||||
|
### Encryption
|
||||||
|
|
||||||
|
The basic protocols of email delivery did not plan for the need for encryption. For a number of reasons it is not possible in most cases to guarantee that a connection to a recipient server is secure. However, the box --- along with the vast majority of mail servers --- uses [opportunistic encryption](https://en.wikipedia.org/wiki/Opportunistic_encryption), meaning the mail is encrypted in transit and protected from passive eavesdropping, but it is not protected from an active man-in-the-middle attack. Modern encryption settings will be used to the extent the recipient server supports them.
|
||||||
|
|
||||||
|
### DANE
|
||||||
|
|
||||||
|
The box is [DNSSEC](https://en.wikipedia.org/wiki/DNSSEC)-aware (via a locally running DNSSEC-aware nameserver). When sending outbound mail, if the recipient's domain name supports DNSSEC and has published a [DANE TLSA](https://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities) record, which contains a certificate fingerprint, the receiving MTA (server) must support TLS and its certificate must match the fingerprint. In other words, when a DANE TLSA record is published by the recipient, then on-the-wire encryption is forced between the box and the recipient MTA.
|
||||||
|
|
||||||
|
Incoming Mail
|
||||||
|
-------------
|
||||||
|
|
||||||
|
### Encryption
|
||||||
|
|
||||||
|
As discussed above, there is no way to require on-the-wire encrpytion of mail. When the box receives an incoming email (SMTP on port 25), it offers encrpytion (STARTTLS) but cannot require that senders use it because some senders may not support STARTTLS at all and other senders may support STARTTLS but not with the latest protocols/ciphers. To give senders the best chance at making use of encryption, the box offers protocols back to SSLv3 and ciphers with key lengths as low as 112 bits. Modern clients (senders) will make use of the 256-bit ciphers and Diffie-Hellman ciphers with a 2048-bit key for forward secrecy, however.
|
||||||
|
|
||||||
|
### DANE
|
||||||
|
|
||||||
|
When DNSSEC is enabled at the box's domain name's registrar, [DANE TLSA](https://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities) records are automatically published in DNS. Senders supporting DANE will enforce encryption on-the-wire between them and the box --- see the section on DANE for outgoing mail above.
|
||||||
|
|
||||||
|
### Filters
|
||||||
|
|
||||||
|
Incoming mail is run through several filters. Email is bounced if the sender's IP address is listed in the [Spamhaus Zen blacklist](http://www.spamhaus.org/zen/) or if the sender's domain is listed in the [Spamhaus Domain Block List](http://www.spamhaus.org/dbl/). Greylisting (with [postgrey](http://postgrey.schweikert.ch/)) is also used to cut down on spam.
|
||||||
|
|
Loading…
Reference in a new issue