From the course: CompTIA Network+ (N10-009) Cert Prep
Securing email
From the course: CompTIA Network+ (N10-009) Cert Prep
Securing email
- The big problem with email is that it was designed from the ground up to not be secure. So, SMTP, IMAP and POP protocols are by default unencrypted protocols. So, as the years progressed, people began to realize that, "Hey man, I need to get encrypted email." Now, I need to warn you right now. It's very easy for you to take an end user attitude about this stuff. And you're like, "Well, I just use Gmail," or "I just use Yahoo," or "I just use an encrypted tool like Proton Mail." We're not talking about the users, we're talking about US nerds who are the people that have to configure this stuff and get it set up, okay? So, what we're going to be talking about here is that you've got a mail server that you're having to deal with. And what you're trying to do is you're trying to move out of the unencrypted world and into the encrypted world. All email server tools can easily handle encrypted email, assuming you've got them set up right. And I need to warn you, the exam hits on this very hard. So, let's take a moment and discuss how we encrypt emails. So, I've got my client here. Here, let me write "client". And this client here is probably running a more traditional client. Outlook or Thunderbird or something like that. It might be a web-based tool, but we're not talking about Gmail here, folks. We're not talking about Yahoo. We're not talking about web-based. We're talking about real email in this case. So, what we would normally have, and we cover in other episodes, that we would have SMTP over here. This is an SMTP server and he's going to be running on Port 25, and then it might be either an IMAP or a POP3. Now, POP isn't nearly as common as it used to be, but whoops. It ran on Port 110. Pretty much everybody uses IMAP these days because it's nice to be able to create folders in your email and stuff like that. And that runs on 143. No problem, right? And you set this stuff up. In fact, by default, any email server tool will go ahead and set up these ports automatically. The problem we ran into is that moving from unencrypted to encrypted email was not a smooth one-time process. We went through a number of issues. The biggest issue is that first of all, everybody said we're going to use TLS the same way we use for encryption in our web browsers. That's great, but it took a while to figure this out. The first problem we ran into is that you would have a client and it would come into an encrypted server, but it would start the conversation using traditional ports, and then it would switch over. This was called traditional TLS. Notice I'm using the past tense when I say this. So, IMAP was on Port 993. You'd start the conversation on 143, but then quickly switch over to 993. POP was on 995, and then SMTP was on 465. And this was built into the email servers and email clients. They all worked fine. You throw a certificate into your email server, everything worked great. However, the powers that be, as they looked at this TLS solution, they began to say to themselves, "Wait a minute, this is silly. We're going from one port number to another port number. So, bad guys 'cause they know about 110 and Port 25 and 143 might be monitoring, might be a man-in-the-middle type of thing." So instead, why don't we just erase all that and come up with another technology called STARTTLS. It's still TLS, folks, but at no time is it in an unencrypted state. So, STARTTLS was originally designed, and I don't care, all three of these ran on the same port number, 465. The idea of using 465 is because it was the one used originally with TLS, and they just arbitrarily picked it. You don't need three ports in this case. You've got a smart device that's able to separate these things. But there was a problem. And the problem was is that we had a lot of mail servers, and we're talking about the early 2000s. This isn't that terribly long ago. Where these servers would try to support both of these protocols. And as you can see, if you've got two different protocols, TLS and STARTTLS, it began to create a mess. They said, "Okay, okay, okay. That 465 was just temporary until you use the official port that we'll always use from here on end, Port 587." I'm going to warn you, when you're configuring both email servers and email clients, there's a lot of variance in here. And a lot of times the answer is, is you're going to have to dig and try to figure out on the server side where do you set your port settings and what other, you'll see, "Use STARTTLS, yes or no?" And you have to get this stuff configured right. And on the client side, it can even be more frustrating. Very popular email clients like Thunderbird actually use improper phrasing that can make this stuff very, very confusing. For the exam, it is really important to me that you understand that there were two different protocols. TLS was the first version. TLS started unencrypted, then went to encrypted using these port numbers. And today, pretty much everybody uses STARTTLS. And STARTTLS should be using 587, but don't be surprised if you see a question where it says, "STARTTLS uses 465."
Download courses and learn on the go
Watch courses on your mobile device without an internet connection. Download courses using your iOS or Android LinkedIn Learning app.
Contents
-
-
-
-
-
-
-
-
-
-
TCP and UDP7m 9s
-
ICMP and IGMP5m 55s
-
Explaining traffic types4m 44s
-
Handy tools6m 30s
-
Wireshark protocol analyzer10m 25s
-
Introduction to netstat7m 31s
-
File transfer protocol (FTP)9m 56s
-
Email servers and clients9m 7s
-
Securing email5m 34s
-
Telnet and SSH9m 2s
-
Network time protocol (NTP)4m 46s
-
Network service scenarios9m 20s
-
-
-
-
-
-
-
-
-
-
-
-