E-mail (S/MIME and PGP) and mail relay problems

Email (S/MIME and PGP)

 S/MIME (Secure/Multipurpose Internet Mail Extensions) and PGP (Pretty Good Privacy) are commonly used for email encryption and electronic signatures.

S/MIME is pronounced as "esmime" and PGP is pronounced as "pee pee".

 These two have encryption and signature functions, and this function is achieved by combining symmetric key cryptography, public key cryptography, and message digest functions.

 How to handle the public key is important for decrypting and signing encryption. This is because if the public key is forged, it will be impersonated by a third party.

S/MIME and PGP handle this public key differently.

 S/MIME uses a certificate authority (CA) to certify the validity of the public key. However, using a commercial certificate authority (such as Verisign), of course, costs money.

 There is also a method of using your own certificate authority that does not have a root certificate authority, but your own certificate authority is called a "what's wrong certificate authority" and is not reliable.

Therefore, it is common to use a commercial certificate authority.

PGP, on the other hand, uses the concept of a "web-of-trust", where a third party certifies another's certificate.

 A simple explanation of "Web-of-trust" is the concept of "friends of friends are friends" in Fuji TV's TV show "Waraitei Iitomo!" Telephone Shocking.

 If the public key is signed by a third party whose identity has already been verified by some means, it is judged that "it looks like it can be trusted!"

PGP also uses a fingerprint, which is a string of characters that is different for each public key, to verify that the public key is correct.

 As explained above, in S/MIME, a valid certificate authority signs the validity of the public key, but in PGP, the public key can only be trusted to some extent from the circle of friends concept. you can't.

The table below summarizes the differences between S/MIME and PGP.

●Difference between PGP and S/MIME

namefeature
PGP
(Pretty Good Privacy)
A method based on the idea of ​​a circle of friends called Web-of-trust. If it is signed with a private key of a third party whose identity has already been verified, it is trusted to some extent. There is also a method of verification using fingerprints, which are different character strings for each public key.

Secure/Multipurpose Internet Mail Extensions ( S/MIME )
A legitimate certificate authority certifies the legitimacy of the public key. In-house certificate authorities lack credibility, so commercial certificate authorities are generally used.

Difference between PGP and S/MIME

 From the differences in the table above, PGP can be used easily, but it can be said that it is not suitable for communicating with an unspecified number of people. PGP is relatively suitable for use with a limited number of partners. It can be said that S/MIME is suitable for communication with an unspecified number of people.

 As for PGP, major mailers such as Outlook do not support it as standard, but there are freeware and commercial versions, and if you use the freeware version, you can install PGP for free.

mail relay problem

Email has a long history, dating back to the days of UUCP.

 UUCP is a protocol used to transfer files between UNIX terminals using a telephone line, and communicates by exchanging files on the telephone line in a bucket brigade manner.

 Originally, e-mail is structured so that UUCP is used to transfer the SMTP server in the network by the bucket brigade method. By repeating this operation to the SMTP server next to it, and then to the SMTP server next to it, it was possible to reach the destination.

In terms of image, mail is exchanged between neighboring SMTP servers like this.

 Bucket brigade means you have to allow anyone to relay your mail. In other words, e-mail consists of good-faith relays and does not have a mechanism for user authentication.

 In the early days of the Internet, it was mainly used for research and academic purposes, so in a sense it was a good-faith relay. The number of users with malicious intent is increasing, and good-faith relaying is no longer possible.

 In the current era of TCP/IP, it is common for the MTA to check the MX record of the destination domain and perform SMTP communication directly to the other party's MTA. Some servers, and still some SMTP servers, deliver by bucket brigade, and some mail is delivered by bucket brigade.

 The Bucket brigade method is often abused for relaying SPAM emails. The reason spam emails are sent in the first place is because you can advertise with very little advertising money.

 Whether it's telemarketing, faxing, or mailing, advertising costs money. However, by relaying SPAM emails, you can reach many people without much effort. And it will cost you almost no money.

 As if everything is escalating, some people point out that most of the traffic flowing on the Internet is now this SPAM mail traffic. It is said to be 70% or 80% of traffic.

For this reason, several methods of imposing user restrictions on mail servers have been considered.

Email (restrict by IP address)

The simplest way to restrict unauthorized e-mail relaying is to specify an IP address to deny relaying.

 You can prevent unauthorized mail relaying for non-subscribers of your ISP by configuring your server to reject mail relay requests from anyone other than the IP addresses held by your ISP.

That's it! When you think about it, there are disadvantages.

 Today, mobile environments are in place, and we often connect to the Internet from different ISPs when out of the office or on business trips.

 If you change the ISP you connect to, your IP address will change. If your IP address changes, you will not be able to use email. This is not user-friendly. In this way, there is a limit to sender restriction by IP address.

In the first place, IP addresses alone cannot authenticate users.

Therefore, POP before SMTP and SMTP-AUTH have been devised as means of user authentication.