Special Publication 800-45Version 2Guidelines on Electronic MailSecurityRecommendations of the National Institute ofStandards and TechnologyMiles TracyWayne JansenKaren ScarfoneJason Butterfield

NIST Special Publication 800-45Version 2Guidelines on Electronic Mail SecurityRecommendations of the NationalInstitute of Standards and TechnologyMiles Tracy, Wayne Jansen, KarenScarfone, and Jason ButterfieldC O M P U T E RS E C U R I T YComputer Security DivisionInformation Technology LaboratoryNational Institute of Standards and TechnologyGaithersburg, MD 20899-8930February 2007U .S. Department of CommerceCarlos M. Gutierrez, SecretaryTechnology AdministrationRobert C. Cresanti, Under Secretary of Commerce forTechnologyNational Institute of Standards and TechnologyWilliam Jeffrey, Director

Reports on Computer Systems TechnologyThe Information Technology Laboratory (ITL) at the National Institute of Standards and Technology(NIST) promotes the U.S. economy and public welfare by providing technical leadership for the Nation’smeasurement and standards infrastructure. ITL develops tests, test methods, reference data, proof ofconcept implementations, and technical analysis to advance the development and productive use ofinformation technology. ITL’s responsibilities include the development of technical, physical,administrative, and management standards and guidelines for the cost-effective security and privacy ofsensitive unclassified information in Federal computer systems. This Special Publication 800-seriesreports on ITL’s research, guidance, and outreach efforts in computer security, and its collaborativeactivities with industry, government, and academic organizations.National Institute of Standards and Technology Special Publication 800-45 Version 2Natl. Inst. Stand. Technol. Spec. Publ. 800-45 Version 2, 139 pages (Feb. 2007)Certain commercial entities, equipment, or materials may be identified in thisdocument in order to describe an experimental procedure or concept adequately. Suchidentification is not intended to imply recommendation or endorsement by theNational Institute of Standards and Technology, nor is it intended to imply that theentities, materials, or equipment are necessarily the best available for the purpose.iii

Acknowledgements, Version 2The authors, Wayne Jansen and Karen Scarfone of NIST, Miles Tracy of Federal Reserve InformationTechnology, and Jason Butterfield of Booz Allen Hamilton, wish to express their thanks to colleagues atboth organizations who reviewed drafts of this document. In particular, their appreciation goes to LindaAntil, Rick Ayers, Bill Burr, Tim Grance, and Tim Polk from NIST for their research, technical support,and written contributions to this version of the document. The authors would also like to express theirthanks to all those who contributed input during the public comment period and who assisted with ourinternal review process.Acknowledgements, Original VersionThe authors, Wayne Jansen of NIST and Scott Bisker and Miles Tracy of Booz Allen Hamilton (BAH),wish to express their thanks to colleagues at both organizations who reviewed drafts of this document. Inparticular, their appreciation goes to John Wack, Murugiah Souppaya, and Tim Grance from NIST, andSteve Allison, Alexis Feringa, Jonathan Holleran, Kevin Kuhlkin, and Mark McLarnon from BAH, fortheir research, technical support, and written contributions to this document. The authors would also liketo express their thanks to all those who contributed input during the public comment period and whoassisted with our internal review process.iv

GUIDELINES ON ELECTRONIC MAIL SECURITYTable of ContentsExecutive Summary.ES-11.Introduction .1- and Standards .2- .3-4Key Management.3-4Issues with Email Encryption .3-5Planning and Managing Mail ltipurpose Internet Mail Extensions .2-2Mail Transport Standards.2-32.3.1 Simple Mail Transfer Protocol .2-32.3.2 Simple Mail Transfer Protocol Extensions.2-42.3.3 Proprietary Mail Transports .2-6Client Access Standards.2-62.4.1 Post Office Protocol.2-72.4.2 Internet Message Access Protocol .2-82.4.3 Proprietary Mailbox Access Mechanisms.2-92.4.4 Web-Based Mail Access.2-9Signing and Encrypting Email Messages .3- and Scope .1-1Audience and Assumptions .1-2Document Organization .1-2Installation and Deployment Planning.4-1Security Management Staff.4-34.2.1 Senior IT Management/Chief Information Officer (CIO) .4-34.2.2 Information Systems Security Program Managers .4-34.2.3 Information Systems Security Officers .4-44.2.4 Mail Server and Network Administrators .4-4Management Practices .4-4System Security Plan.4-5Human Resources Requirements .4-7General Information System Security Principles.4-7Checklist for Planning and Managing Mail Servers .4-9Securing the Mail Server Operating System .5-15.15.2Updating and Configuring the Operating System .5-25.1.1 Patch and Upgrade Operating System.5-25.1.2 Remove or Disable Unnecessary Services and Applications.5-25.1.3 Configure Operating System User Authentication.5-45.1.4 Configure Resource Controls Appropriately .5-65.1.5 Install and Configure Additional Security Controls .5-6Security Testing the Operating System .5-7v

GUIDELINES ON ELECTRONIC MAIL SECURITY5.36.Securing Mail Servers and Content.6- Composition and Structure .7-17.1.1 Inadvisable Network Layout .7-17.1.2 Demilitarized Zone.7-17.1.3 Mail Gateways .7-47.1.4 Management Network .7-5Network Element Configuration .7-57.2.1 Router/Firewall Configuration .7-57.2.2 Intrusion Detection and Prevention Systems.7-87.2.3 Network Switches .7-11Checklist for Implementing a Secure Network Infrastructure .7-12Securing Mail Clients.8- the Mail Server Application.6-16.1.1 Securely Installing the Mail Server .6-16.1.2 Configuring Operating System and Mail Server Access Controls .6-1Protecting Email from Malware .6-36.2.1 Malware Scanning .6-56.2.2 Content Filtering .6-96.2.3 User Awareness .6-12Blocking Spam-Sending Servers .6-13Authenticated Mail Relay .6-14Secure Access .6-14Enabling Web Access .6-15Checklist for Securing Mail Servers and Content .6-16Implementing a Secure Network Infrastructure .7-17.18.Checklist for Securing the Mail Server Operating System .5-7Installing and Configuring Client Applications.8-18.1.1 Patching and Updating Mail Clients.8-18.1.2 Configuring Mail Client Security Features .8-18.1.3 Configuring Authentication and Access.8-28.1.4 Securing the Client Host’s Operating System .8-3Secure Message Composition .8-4Plug-ins .8-5Accessing Web-Based Mail Systems .8-5Checklist for Securing Mail Clients .8-6Administering the Mail Server .9- .9-19.1.1 Recommended Generic Logging Configuration .9-19.1.2 Log File Review and Retention.9-39.1.3 Automated Log File Analysis Tools .9-4Backing Up Mail Servers.9-4Recovering from a Security Compromise .9-6Security Testing Mail Servers .9-89.4.1 Vulnerability Scanning .9-89.4.2 Penetration Testing .9-9Remotely Administering a Mail Server.9-10Checklist for Administering the Mail Server .9-11vi

GUIDELINES ON ELECTRONIC MAIL SECURITYAppendicesAppendix A— Glossary . A-1Appendix B— Email-Related RFCs . B-1Appendix C— References . C-1Appendix D— Email Security Tools and Applications . D-1Appendix E— Online Email Security Resources . E-1Appendix F— Email Security Checklists . F-1Appendix G— Acronym List .G-1Appendix H— Index . H-1List of Tables and FiguresFigure 2.1: Example of Message Flow.2-2Figure 2.2: SMTP Commands .2-4Figure 2.3: Sample SMTP Conversation .2-4Figure 2.4: Sample ESMTP Conversation .2-5Figure 2.5: POP3 Commands.2-7Figure 2.6: IMAP 4 Revision 1 Commands .2-8Figure 6.1: Malware Scanning Implemented on Firewall .6-6Figure 6.2: Malware Scanning Implemented on Mail Server .6-7Figure 6.3: Malware Scanning Implemented on User Workstations .6-9Figure 6.4: Sendmail TLS Configuration Example from 7.1: Simple Single-Firewall DMZ .7-2Figure 7.2: Two-Firewall DMZ.7-3Figure 7.3: Three-Interface Firewall DMZ .7-3Figure 7.4: Mail Gateway .7-5vii

GUIDELINES ON ELECTRONIC MAIL SECURITYThis page has been left blank intentionally.viii

GUIDELINES ON ELECTRONIC MAIL SECURITYExecutive SummaryElectronic mail (email) is perhaps the most popularly used system for exchanging business informationover the Internet (or any other computer network). At the most basic level, the email process can bedivided into two principal components: (1) mail servers, which are hosts that deliver, forward, and storeemail; and (2) mail clients, which interface with users and allow users to read, compose, send, and storeemail. This document addresses the security issues of mail servers and mail clients, including Web-basedaccess to mail.Mail servers and user workstations running mail clients are frequently targeted by attackers. Because thecomputing and networking technologies that underlie email are ubiquitous and well-understood by many,attackers are able to develop attack methods to exploit security weaknesses. Mail servers are alsotargeted because they (and public Web servers) must communicate to some degree with untrusted thirdparties. Additionally, mail clients have been targeted as an effective means of inserting malware intomachines and of propagating this code to other machines. As a result, mail servers, mail clients, and thenetwork infrastructure that supports them must be protected. Examples of email security issues includethe following:To exchange email with the outside world, a requirement for most organizations, it is allowed throughorganizations’ network perimeter defenses. At a basic level, viruses and other types of malware maybe distributed throughout an organization via email. Increasingly, however, attackers are gettingmore sophisticated and using email to deliver targeted zero-day attacks in an attempt to compromiseusers’ workstations within the organization’s internal network.Given email’s nature of human to human communication, it can be used as a social engineeringvehicle. Email can allow an attacker to exploit an organization’s users to gather information or getthe users to perform actions that further an attack.Flaws in the mail server application may be used as the means of compromising the underlying serverand hence the attached network. Examples of this unauthorized access include gaining access to filesor folders that were not meant to be publicly accessible, and being able to execute commands and/orinstall software on the mail server.Denial of service (DoS) attacks may be directed to the mail server or its support networkinfrastructure, denying or hindering valid users from using the mail server.Sensitive information on the mail server may be read by unauthorized individuals or changed in anunauthorized manner.Sensitive information transmitted unencrypted between mail server and client may be intercepted.All popular email communication standards default to sending usernames, passwords, and emailmessages unencrypted.Information within email messages may be altered at some point between the sender and recipient.Malicious entities may gain unauthorized access to resources elsewhere in the organization’s networkvia a successful attack on the mail server. For example, once the mail server is compromised, anattacker could retrieve users’ passwords, which may grant the attacker access to other hosts on theorganization’s network.Malicious entities may attack external organizations from a successful attack on a mail serv