Make Mail.app work for you

Mark Nottingham (@mnot) posted a good idea to twitter:
 

Highlight e-mails that your MTA receives with TLS. Make sure to include your mail server’s name in the value (here to the left of what’s shown)
mailapprules

 
 
Mail.app has client support for mail routing rules. Out of the box all they’re configured to do is highlight mail from Apple, but Mark is adding a rule to passively keep an eye on how mail is being sent to you.
Mark is using it to see who is sending mail over opportunistic TLS – he’s looking for the “with ESMTPS” string that an MTA will add to a Received line when it receives mail sent over TLS. To check that your mailserver records it in the same way, find a recent email sent to you from gmail (who are encrypting everything) and look at the raw source of the mail with View [icon name=”long-arrow-right” class=””] Message [icon name=”long-arrow-right” class=””] Raw Source (or Alt-Command-U) and look for the Received line where your mailserver accepted the mail. The Received line you’re looking for will have “by your.mailserver.name” in it.
 
Mine looks like this:

  Received: from malur.postgresql.org (malur.postgresq
      by mx.wordtothewise.com (Postfix) with ESMTPS id
      for <steve@blighty.com>; Wed, 10 Sep 2014 21:56:

 
So I need to set up a rule that looks for a Received header that contains the string “by mx.wordtothewise.com (Postfix) with ESMTPS” and does something with it. You’ll need to do something slightly different, depending on how your mailserver generates Received headers.
If you go to Mail [icon name=”long-arrow-right” class=””] Preferences… [icon name=”long-arrow-right” class=””] Rules [icon name=”long-arrow-right” class=””] Add Rule you’ll get to this dialog for adding a new rule:
 
rules.png
 
 
This has two main sections – the upper lets you set a a list of conditions to check incoming mail against, the lower lets you tell Mail.app what actions to take for mails that match.
This is a fairly simple rule with one condition (there’s a received header that contains this string) and one action (highlight this mail in the inbox).
Set the condition as it’s shown above “Received” “contains” “by your.mailserver.name (Postfix) with ESMTPS“. (If there isn’t an option for “Received” in the first combobox you need to select “Edit Header List…” in that combobox to add it first). Then set the action as it’s shown above, to highlight mails that match the condition.
Click OK, and you should be highlighting new mails that match the rule as they arrive. You’ll be able to see who is sending mail via TLS, and who isn’t.
 
There are lots of other things you could use the same approach to check for. Check the Authentication-Results header for “dkim=pass” (and maybe highlight different key lengths in different colours). Check X-Spam-Status to look for particular SpamAssassin rules firing. Use the contents of the List-ID header to route mail sent to mailing lists to it’s own mailbox reliably. Have Mail.app beep and bounce it’s icon when you receive mail from your boss or your customer, so you can respond promptly even when you’re slacking off on a Friday afternoon …
 
 
 
 
 

Related Posts

Compromising a Mail Client

Your entire work life is in your work mail client.
All the people you communicate with – co-workers, friends, family, vendors, customers, colleagues.
Every email you send. Every email you receive. Any files you attach or receive.
If someone can compromise your mail client, they can see all that.
They can save copies of all your emails, data-mine them and use them for whatever purpose they like. They can build a view of your social network, based on who you exchange emails with, and a model of who you are, based on what you talk about.
That companies like Google do this for “free”, advertising supported webmail shouldn’t be much of a surprise by now – but your corporate email system and your work email is secure, right?
What if an attacker were to set up a man-in-the-middle attack on your employees? Install malware on their iPhone, such that all traffic were transparently routed through a proxy server controlled by the attacker?
Or they could use a more email-centric approach, configuring the compromised mail client to fetch mail from an IMAP server controlled by the attacker that took the employees credentials and passed them through to their real corporate IMAP server – that would let the attacker completely control what the compromised user saw in their inbox. As well as being able to read all mail sent to that user, they could silently filter mail, they could deliver new mail to the users inbox directly, bypassing any mail filters or security. They could even modify the contents of email on-the-fly – adding tracking links, redirection URLs or injecting entirely new content into the message.
Similarly, the attacker could route all outbound mail through a man-in-the-middle smarthost that copied the users credentials and used them to send mail on to their real corporate smarthost. As well as being able to read and modify all mail sent the attacker could also use that access to send mail that masqueraded as coming from the user.
Sounds like the sort of thing you’d expect from criminal malware? Not quite. What I’ve just described is Intro, a new product from LinkedIn.
LinkedIn will be asking your users to click on a link to install a “security profile” to their iPhones. If they do, then LinkedIn will have total control over the phone, and will use that to inject their SMTP and IMAP proxies into your users mailstreams. The potential for abuse by LinkedIn themselves is bad enough – I’ve no doubt that they’ll be injecting adverts for themselves into the mailstream, and their whole business is based on monetizing information they acquire about employees and their employers. But LinkedIn have also been compromised in the past, with attackers stealing millions of LinkedIn user credentials – if they can’t protect their own users credentials, I wouldn’t trust them with your employees credentials.
You might want to monitor where your employees are logging in to your servers from – and suspend any accounts that log in from LinkedIn network space.
Edit: Bishop Fox has looked at Intro too, and come to similar conclusions. TechCrunch too.

Read More

The rules of delivery success

Senders with delivery problems ask about “the rules.” “Just tell us what the rules are!” “If the ISPs would just tell us what to do we’d do it!” There is only one rule anyone needs to pay attention to for good mail delivery: Respect the recipient.
Not good enough for you? Want more specific rules? OK.
The two rules everyone must follow for good mail delivery.

Read More

Protect your email with TLS

You probably use TLS hundreds of times a day. If you don’t recognize the term, you might know it better by it’s older name, SSL.
TLS is what protects your data in transit whenever you go to Google, or Yahoo or even this blog. The little padlock in your browser address bar tells you that your browser has used the TLS protocol to do two things. First, it’s decided that the server you’re connecting to really is operated by Google, or Yahoo or us – you’re (probably) not having your session intercepted by someone in the middle between you and the webserver, either to read your traffic or modify it en-route. Second, it is encrypting all the traffic between you and the webserver, so that it can’t be passively monitored while in transit. Because of concerns about ubiquitous surveillance many websites – including ours – are moving to use TLS for everything, not just for protecting a login page or a credit card number.
That’s great for the web, but how does it apply to email? One place it’s used is for connections between your mail client and your local mailserver – sending mail to the smarthost via [rfc 4409]SUBMIT[/rfc] and fetching mail using [rfc 2595]IMAP or POP3[/rfc] almost always use TLS. That protects the privacy of your messages between you and your ISP and also protects the username and password you use to authenticate with.
Mail traveling between ISPs didn’t used to be encrypted “on the wire” , but about 15 years ago [rfc 3207]an extension to SMTP was proposed[/rfc] that would allow ISPs to negotiate during each session whether they should encrypt it or not. This extension, often referred to as STARTTLS after the command it uses, allows gradual rollout of encryption of mail traffic between ISPs without requiring any sort of flag day. A mailserver that supports STARTTLS will tell everyone who connects to it “Hey! I support STARTTLS!”. When a smarthost that also supports it connects to that mailserver it will go “Great! I support STARTTLS too! Lets do this!” and convert the plain text SMTP session into an encrypted session protected by TLS.
Fifteen years seems like a long period in Internet time, but non-intrusive protocol changes can take a long time to deploy. Facebook Engineering have done the work to see how that deployment is going with their survey of the current state of SMTP STARTTLS deployment. The results are really quite positive – over three quarters of the mailservers they sent mail to supported STARTTLS, covering nearly 60% of their users. That’s definitely enough to make supporting STARTTLS worthwhile.
More about TLS and encryption tomorrow.

Read More