Now matter how much you want to secure your mail server, to be able to actually communicate with your customers and partners, you will have to face the ugly truth that enforcing STARTTLS
might not be the best idea from a business perspective. Using opportunistic encryption, meaning to encrypt mail traffic whenever it suites both parties, unfortunately has the down side of leaving the server vulnerable to downgrade attacks. So wouldn't it be nice if we would at least know whenever someone sent us a mail over the wire in plain text, instead of using the STARTTLS
encryption that we already offer?
Turns out, in Thunderbird this is actually possible without much of a hassle and I assume that a similar solution is available to Outlook users as well. Since I'm not an Outlook user however, I will focus on how to implement a notice for plain text transmitted mails in Thunderbird.
First of all, let's take a look at the mail headers that provide us with the necessary information. Here we have two examples of incoming mails. The first one established a connection with our mail server over ESMTPS
. The important part is the S
at the end, which indicates a secure connection.
The second incoming mail is missing the trailing S
, as it sent the mail via ESMTP
, an unencrypted connection.
Using the Received
header, we can use Thunderbird's mail filter tool to tag any mails that haven't been sent over ESMTPS
. To do so, we need to create a custom tag that we can apply to plain text mails. Open the settings, browse to the Display
section and select the tags
tab or click on Tags -> Manage Tags
if you have the mail toolbar enabled. Create a new tag and choose a name and color to your liking, for example PLAINTEXT TRANSFER
and some red tone.
Next, open the Message Filters
windows via the menu button or via Tools -> Message Filters
if you have the menu bar enabled and create a new filter.
As shown in the screenshot below, our filter should look for the header Received
, check if it contains SMTPS
and tag the mail if not.
Afterwards, hit the Run now
button to check all your old mails for unencrypted transfer.
This should mark all your mails that haven't been sent over SMTPS
or better (e.g. ESMTPSA
).
Turns out, while we do get mails via SMTP
instead of SMTPS
, the majority of mails are coming in over an encrypted line (No, they are not. See update below). And that's it, now you can see which mails are sent unencrypted and can notify the sender that they should do better.
Make no mistake, this does not prevent downgrade attacks but at least now you have a chance of noticing it, For example when someone's mails are suddenly getting flagged, even though they are usually not.
Update: 15.12.2015
I initially made the wrong assumption that the doesn't contain
filter would look for any occurrence in any header that bears the name Received
. It does not. Turns out it just checks the last one, which leaves me with a gigantic amount of false negatives and had me thinking that "the majority of mails are coming over an encrypted line".
Well, turns out that the following filter does exactly what I initially intended to do, only the other way around.
Checking if any Received
header contains
a certain keyword, in this case either SMTP
or SMTPA
(note the trailing whitespace), seems to work fine. At least that's what my random checks tell me. But then again, I haven't checked EVERY mail that's been flagged, only every other.
I had to adjust the flag color though, as my inbox was primarily red after my adjustments to the mail filters. Now all flaged messages are marked with a tag and a slightly lighter grey than the default text color. Just enough to notice but without getting in the way of work.