Is Your Application Sending Email as Securely as Possible?

Many web applications use email as a mechanism for user verification, password resets, real time notifications and much more. But security testers and threat modelers will warn application designers to minimize this use, as the confidentiality of SMTP email is not guaranteed. Of course, business needs often override these warnings and applications will in fact send and sometimes receive sensitive data through email. How can application testers verify that this is being done in the most secure way possible? Most of the application testing tools and training are oriented toward the web front end of applications. Not many tools are available to directly test the security of a back-end email server. While SMTP dates from 1982, Internet email has had many enhancements and upgrades since then. From the addition of TLS encryption in SMTP itself around 1999 a long series of add-on specifications have been put forward. Each deals with a specific aspect of email delivery. Some of these include Sender Policy Framework (SPF), Domain Keys Identified Mail (DKIM), Domain-based Message Authentication, Reporting and Conformance (DMARC), MTA Strict Transport Security (MTA-STS), SMTP TLS Reporting (TLS-RPT) and several more. These standards allow an email server to mitigate many types of threats. Most of these standards are very familiar to commercial email vendors and IT professionals but may have escaped notice by application testers and penetration testers. This presentation will explain how these standards fit into the application security world, and what threats to the application they mitigate. It will be shown how application security testers can verify these standards are configured and being used properly in a given application environment. Some free web-based tools and techniques will be demonstrated for testing some of these, as well as more robust testing methods using Burp Collaborator and other tools.