Tagging emails sent in plain text with Thunderbird

Now matter how much you want to secure your mail server, to be able to actually communicate with your customers and partners, you will have to face the ugly truth that enforcing STARTTLS might not be the best idea from a business perspective. Using opportunistic encryption, meaning to encrypt mail traffic whenever it suites both parties, unfortunately has the down side of leaving the server vulnerable to downgrade attacks. So wouldn't it be nice if we would at least know whenever someone sent us a mail over the wire in plain text, instead of using the STARTTLS encryption that we already offer?

Turns out, in Thunderbird this is actually possible without much of a hassle and I assume that a similar solution is available to Outlook users as well. Since I'm not an Outlook user however, I will focus on how to implement a notice for plain text transmitted mails in Thunderbird.

First of all, let's take a look at the mail headers that provide us with the necessary information. Here we have two examples of incoming mails. The first one established a connection with our mail server over ESMTPS. The important part is the S at the end, which indicates a secure connection. img-mail-sent-esmtps

The second incoming mail is missing the trailing S, as it sent the mail via ESMTP, an unencrypted connection. img-mail-sent-esmtp

Using the Received header, we can use Thunderbird's mail filter tool to tag any mails that haven't been sent over ESMTPS. To do so, we need to create a custom tag that we can apply to plain text mails. Open the settings, browse to the Display section and select the tags tab or click on Tags -> Manage Tags if you have the mail toolbar enabled. Create a new tag and choose a name and color to your liking, for example PLAINTEXT TRANSFER and some red tone. img-thunderbird-tags

Next, open the Message Filters windows via the menu button or via Tools -> Message Filters if you have the menu bar enabled and create a new filter. As shown in the screenshot below, our filter should look for the header Received, check if it contains SMTPS and tag the mail if not. img-thunderbird-addfilter

Afterwards, hit the Run now button to check all your old mails for unencrypted transfer. img-thunderbird-runfilter

This should mark all your mails that haven't been sent over SMTPS or better (e.g. ESMTPSA).

img-thunderbird-filter-mails

Turns out, while we do get mails via SMTP instead of SMTPS, the majority of mails are coming in over an encrypted line (No, they are not. See update below). And that's it, now you can see which mails are sent unencrypted and can notify the sender that they should do better.

Make no mistake, this does not prevent downgrade attacks but at least now you have a chance of noticing it, For example when someone's mails are suddenly getting flagged, even though they are usually not.

Update: 15.12.2015

I initially made the wrong assumption that the doesn't contain filter would look for any occurrence in any header that bears the name Received. It does not. Turns out it just checks the last one, which leaves me with a gigantic amount of false negatives and had me thinking that "the majority of mails are coming over an encrypted line".

Well, turns out that the following filter does exactly what I initially intended to do, only the other way around. img-thunderbird-filter-adjustment

Checking if any Received header contains a certain keyword, in this case either SMTP or SMTPA (note the trailing whitespace), seems to work fine. At least that's what my random checks tell me. But then again, I haven't checked EVERY mail that's been flagged, only every other.

I had to adjust the flag color though, as my inbox was primarily red after my adjustments to the mail filters. Now all flaged messages are marked with a tag and a slightly lighter grey than the default text color. Just enough to notice but without getting in the way of work.