{"id":12287,"date":"2022-07-27T11:00:30","date_gmt":"2022-07-27T09:00:30","guid":{"rendered":"https:\/\/blog.rwth-aachen.de\/itc\/?p=12287"},"modified":"2024-10-25T15:50:33","modified_gmt":"2024-10-25T13:50:33","slug":"e-mail-2","status":"publish","type":"post","link":"https:\/\/blog.rwth-aachen.de\/itc\/en\/2022\/07\/27\/e-mail-2\/","title":{"rendered":"Email Security \u2013 The SMTP Protocol and Its Problems (Sending and Receiving)"},"content":{"rendered":"<div class=\"twoclick_social_bookmarks_post_12287 social_share_privacy clearfix 1.6.4 locale-en_US sprite-en_US\"><\/div><div class=\"twoclick-js\"><script type=\"text\/javascript\">\/* <![CDATA[ *\/\njQuery(document).ready(function($){if($('.twoclick_social_bookmarks_post_12287')){$('.twoclick_social_bookmarks_post_12287').socialSharePrivacy({\"txt_help\":\"Wenn Sie diese Felder durch einen Klick aktivieren, werden Informationen an Facebook, Twitter, Flattr, Xing, t3n, LinkedIn, Pinterest oder Google eventuell ins Ausland \\u00fcbertragen und unter Umst\\u00e4nden auch dort gespeichert. N\\u00e4heres erfahren Sie durch einen Klick auf das <em>i<\\\/em>.\",\"settings_perma\":\"Dauerhaft aktivieren und Daten\\u00fcber-tragung zustimmen:\",\"info_link\":\"http:\\\/\\\/www.heise.de\\\/ct\\\/artikel\\\/2-Klicks-fuer-mehr-Datenschutz-1333879.html\",\"uri\":\"https:\\\/\\\/blog.rwth-aachen.de\\\/itc\\\/en\\\/2022\\\/07\\\/27\\\/e-mail-2\\\/\",\"post_id\":12287,\"post_title_referrer_track\":\"Email+Security+%E2%80%93+The+SMTP+Protocol+and+Its+Problems+%28Sending+and+Receiving%29\",\"display_infobox\":\"on\"});}});\n\/* ]]> *\/<\/script><\/div><p><div id=\"attachment_12288\" style=\"width: 310px\" class=\"wp-caption alignright\"><a href=\"https:\/\/blog.rwth-aachen.de\/itc\/files\/2022\/07\/Mailversand-scaled.jpg\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-12288\" class=\"wp-image-12288 size-medium\" src=\"https:\/\/blog.rwth-aachen.de\/itc\/files\/2022\/07\/Mailversand-300x169.jpg\" alt=\" Technical graphic for receiving and sending e-mails\" width=\"300\" height=\"169\" srcset=\"https:\/\/blog.rwth-aachen.de\/itc\/files\/2022\/07\/Mailversand-300x169.jpg 300w, https:\/\/blog.rwth-aachen.de\/itc\/files\/2022\/07\/Mailversand-1024x576.jpg 1024w, https:\/\/blog.rwth-aachen.de\/itc\/files\/2022\/07\/Mailversand-768x432.jpg 768w, https:\/\/blog.rwth-aachen.de\/itc\/files\/2022\/07\/Mailversand-1536x864.jpg 1536w, https:\/\/blog.rwth-aachen.de\/itc\/files\/2022\/07\/Mailversand-2048x1152.jpg 2048w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/a><p id=\"caption-attachment-12288\" class=\"wp-caption-text\">Source: <a href=\"https:\/\/www.freepik.com\/free-photo\/email-messages-network-circuit-board-link-connection-technology_1198384.htm#query=email&amp;position=4&amp;from_view=search\">Freepik<\/a><\/p><\/div><\/p>\n<p>In our <a href=\"https:\/\/blog.rwth-aachen.de\/itc\/en\/2022\/06\/15\/e-mail-1\/\" target=\"_blank\" rel=\"noopener\">first article<\/a> on the topic of e-mail security, we gave an insight into the historical development of email. We briefly explained how email exchange works and referred to the statistics of the email service at RWTH Aachen University.<\/p>\n<p>Today we&#8217;ll tell you about the transmission protocol &#8220;Simple Mail Transfer Protocol&#8221; (SMTP) and its pitfalls.<\/p>\n<p><!--more--><\/p>\n<h3><\/h3>\n<p>&nbsp;<\/p>\n<h3><span style=\"color: #00549f;\">The SMTP Protocol<\/span><\/h3>\n<p>The SMTP protocol is a very old protocol. It processes the sender or the recipient of an e-mail message via corresponding meta information. The meta information includes the addresses of the sender and recipient or the date and subject of the message.<\/p>\n<p>This meta information belongs to a mail and is contained in the so-called mail header. When sending an e-mail, the sending client also separately informs the outgoing mail server of the sender and the recipient. This information forms the mail envelope. The mail envelope is then used by all mail servers involved in the delivery of the e-mail. When the e-mail is delivered to the destination mailbox, this mail envelope is removed again. However, this is exactly where one of the problems lies.<\/p>\n<p>&nbsp;<\/p>\n<h3><span style=\"color: #00549f;\">Analysis and Main Problems of This Protocol From a Security Point of View<\/span><\/h3>\n<p>The SMTP protocol in its simplest version does not include any authentication and authorisation layer. This means that the sender specified by the client in the mail envelope is not checked by the server. Thus, it is theoretically possible for anyone to send e-mails with any other sender address. As one quickly realises, this mechanism opens all doors for phishing and SPAM.<\/p>\n<p>A second problem is that there are three sender addresses in each email. One is the envelope sender address. As described above, this information is deleted when an email is received. However, it is mainly responsible for the actual delivery of an e-mail.<\/p>\n<p>Two other pieces of meta information that contain the sender are the &#8220;From-Path&#8221; and the &#8220;Return-Path&#8221; attributes. Normally, all three attributes have the same value. The &#8220;From-Path&#8221; attribute is displayed to the recipient of an e-mail by the e-mail programme as the sender address. The return-path attribute is used to send a bounce message to the sender in case the e-mail cannot be delivered. This information could look like the following in a mail header:<\/p>\n<div id=\"attachment_12290\" style=\"width: 660px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/blog.rwth-aachen.de\/itc\/files\/2022\/07\/Beitrag2_Bild1_blau.jpg\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-12290\" class=\"wp-image-12290 size-full\" src=\"https:\/\/blog.rwth-aachen.de\/itc\/files\/2022\/07\/Beitrag2_Bild1_blau.jpg\" alt=\"Mail header evaluation view\" width=\"650\" height=\"300\" srcset=\"https:\/\/blog.rwth-aachen.de\/itc\/files\/2022\/07\/Beitrag2_Bild1_blau.jpg 650w, https:\/\/blog.rwth-aachen.de\/itc\/files\/2022\/07\/Beitrag2_Bild1_blau-300x138.jpg 300w\" sizes=\"auto, (max-width: 650px) 100vw, 650px\" \/><\/a><p id=\"caption-attachment-12290\" class=\"wp-caption-text\">Source: Own Illustration<\/p><\/div>\n<p>First of all, at the beginning of the mail header is the receive line of the mail server that processed this specific mail. As an example, we list a mail header that contains an e-mail from gmx.de to RWTH Aachen University. In this case, the mail header contains the following information:<\/p>\n<div id=\"attachment_12295\" style=\"width: 1034px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/blog.rwth-aachen.de\/itc\/files\/2022\/07\/Beitrag2_Bild2_blau.jpg\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-12295\" class=\"wp-image-12295 size-large\" src=\"https:\/\/blog.rwth-aachen.de\/itc\/files\/2022\/07\/Beitrag2_Bild2_blau-1024x300.jpg\" alt=\"Mail Header of an E-Mail from gmx.de to RWTH Aachen University\" width=\"1024\" height=\"300\" srcset=\"https:\/\/blog.rwth-aachen.de\/itc\/files\/2022\/07\/Beitrag2_Bild2_blau-1024x300.jpg 1024w, https:\/\/blog.rwth-aachen.de\/itc\/files\/2022\/07\/Beitrag2_Bild2_blau-300x88.jpg 300w, https:\/\/blog.rwth-aachen.de\/itc\/files\/2022\/07\/Beitrag2_Bild2_blau-768x225.jpg 768w, https:\/\/blog.rwth-aachen.de\/itc\/files\/2022\/07\/Beitrag2_Bild2_blau.jpg 1400w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/a><p id=\"caption-attachment-12295\" class=\"wp-caption-text\">Source: Own Illustration<\/p><\/div>\n<p>In addition to the sending and receiving mail system, a timestamp is also included so that, ideally, the runtime of an e-mail can be determined. This information is written to the mail header during the sending process.<\/p>\n<p>The information in the mail header can be used to check whether an e-mail may be sent from a mail server or whether it is probably a forged e-mail. This procedure is called SPF (Sender Policy Framework) and was published in 2014 via RFC 7208 [1]. Here, an entry is stored in the DNS server [2] for each email domain, which contains a list of email servers that are authorised to send emails for senders of this email domain, so that a receiving mail server can carry out a corresponding check with the help of this entry. RWTH Aachen University introduced this protocol extension a few years ago. Corresponding information about the evaluation can also be found in the mail header:<\/p>\n<div id=\"attachment_12296\" style=\"width: 860px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/blog.rwth-aachen.de\/itc\/files\/2022\/07\/Beitrag2_Bild3_blau.jpg\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-12296\" class=\"wp-image-12296 size-full\" src=\"https:\/\/blog.rwth-aachen.de\/itc\/files\/2022\/07\/Beitrag2_Bild3_blau.jpg\" alt=\"SPF Metadata E-Mail\" width=\"850\" height=\"230\" srcset=\"https:\/\/blog.rwth-aachen.de\/itc\/files\/2022\/07\/Beitrag2_Bild3_blau.jpg 850w, https:\/\/blog.rwth-aachen.de\/itc\/files\/2022\/07\/Beitrag2_Bild3_blau-300x81.jpg 300w, https:\/\/blog.rwth-aachen.de\/itc\/files\/2022\/07\/Beitrag2_Bild3_blau-768x208.jpg 768w\" sizes=\"auto, (max-width: 850px) 100vw, 850px\" \/><\/a><p id=\"caption-attachment-12296\" class=\"wp-caption-text\">Source: Own Illustration<\/p><\/div>\n<p>&nbsp;<\/p>\n<p>In another blog post, we will explain to you what else the IT Center has currently implemented in order to be able to manage a secure email exchange for you. Furthermore, in a concluding part we will discuss what we plan to do in the future in order to be prepared for future developments.<\/p>\n<hr \/>\n<p>Responsible for the content of this article are <a href=\"https:\/\/www.itc.rwth-aachen.de\/cms\/IT-Center\/IT-Center\/Team\/~epvp\/Mitarbeiter-CAMPUS-\/?gguid=0x37FE353D2993E54A8A3AFC15273BF041&amp;allou=1\" target=\"_blank\" rel=\"noopener\">Morgane Overath<\/a> und <a href=\"https:\/\/www.itc.rwth-aachen.de\/cms\/IT-Center\/IT-Center\/Team\/~epvp\/Mitarbeiter-CAMPUS-\/?gguid=0xF8B5DAF44FF39F4EBBA707A13059BE0F&amp;allou=1\" target=\"_blank\" rel=\"noopener\">Thomas P\u00e4tzold<\/a>.<\/p>\n<p>&nbsp;<\/p>\n<p>[1] RFC: The Requests for Comments are a set of technical and organisational documents related to the Internet. They are numbered documents in which protocols, concepts, methods and programmes of the Internet are treated, described and defined. For example, they form the technical basis of Internet applications such as email.<\/p>\n<p>[2] DNS Server: DNS stands for &#8220;Domain Name System&#8221;. It is a hierarchical directory system which translates the computer name (Fully-Qualified Domain Name &#8211; FQDN) into the corresponding IP addresses. They function, so to speak, as the telephone book of the Internet.<\/p>","protected":false},"excerpt":{"rendered":"<p>Sorry, this entry is only available in Deutsch.<\/p>\n","protected":false},"author":3531,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"c2c_always_allow_admin_comments":false,"footnotes":""},"categories":[314,315],"tags":[485,50,951,81,61,952],"class_list":["post-12287","post","type-post","status-publish","format-standard","hentry","category-it-sicherheit","category-services-support","tag-dns","tag-e-mail","tag-e-mail-sicherheit","tag-it-security","tag-it-sicherheit","tag-umleitung"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/blog.rwth-aachen.de\/itc\/en\/wp-json\/wp\/v2\/posts\/12287","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.rwth-aachen.de\/itc\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.rwth-aachen.de\/itc\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.rwth-aachen.de\/itc\/en\/wp-json\/wp\/v2\/users\/3531"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.rwth-aachen.de\/itc\/en\/wp-json\/wp\/v2\/comments?post=12287"}],"version-history":[{"count":24,"href":"https:\/\/blog.rwth-aachen.de\/itc\/en\/wp-json\/wp\/v2\/posts\/12287\/revisions"}],"predecessor-version":[{"id":20568,"href":"https:\/\/blog.rwth-aachen.de\/itc\/en\/wp-json\/wp\/v2\/posts\/12287\/revisions\/20568"}],"wp:attachment":[{"href":"https:\/\/blog.rwth-aachen.de\/itc\/en\/wp-json\/wp\/v2\/media?parent=12287"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.rwth-aachen.de\/itc\/en\/wp-json\/wp\/v2\/categories?post=12287"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.rwth-aachen.de\/itc\/en\/wp-json\/wp\/v2\/tags?post=12287"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}