This is the official git repository of mecsa-st, the command line version of My Email Communications Security Assessment (MECSA). MECSA is a public service where users can test the technical capacity of their email providers to protect the security and privacy of email communications.
This command line version of the MECSA service engine, mecsa-st, is limited to the analysis of the inbound email services (the analysis of the security standards supported by the email provider to receive email from other email providers). Further analysis of the security standards used to protect email delivery (outbound email services) is not supported, as this would require the reception of an email sent by the email provider tested.
A full assessment of both inbound and outbound email services is available in our free online tool MECSA. This online service allows any user, with a valid email account in an email service, to carry out a complete assessment of the capabilities of that email provider, to protect both the reception and delivery of emails.
mecsa-st, on the other hand, only requires the domain name of the email service to be analysed, which is given as a command line argument. A series of non-intrusive tests will be executed to determine which of the following security standards are properly supported by the email provider.
- StartTLS
- RequireTLS
- TLS Reporting
- Analysis of signatures, chain of trust and validity of x509 certificates
- SPF
- DKIM (presence estimation only)
- DMARC
- DANE
- DNSSEC
- MTA-STS
The objective of these protocols is to protect the reception of emails.
Update! The new version of mecsa-st released on 12/09/2022 contains the following changes:
- During the DNSSEC test mecsa-st will now retry once the DNS queries using UDP instead of TCP if the DNS server drops the connection or does not reply to a TCP query
Update! The new version of mecsa-st released on 08/07/2021 contains the following changes:
- Added IPv6 support to StartTLS tests
Update! The new version of mecsa-st released on 01/07/2021 contains the following changes:
- Checks that a domain supports SMTP TLS Reporting and checks the syntax of the relevant DNS record
Update! The new version of mecsa-st released on 20/05/2021 contains the following changes:
- Checks the presence of the SMTP Require TLS option when sending a message
Update! We have recently published a paper in the IEEE Access peer reviewed journal. You can find it int the EU Science Hub:
Please use the following bibtex entry to cite the paper:
@ARTICLE{Kambourakis2020,
author={G. {Kambourakis} and G. {Draper} and I. {Sanchez}},
journal={IEEE Access},
title={What Email Servers Can Tell to Johnny: An Empirical Study of Provider-to-Provider Email Security},
year={2020},
volume={8},
pages={130066-130081},}
Update! the new version of mecsa-st released on 20/03/2020 contains the following changes:
- Upgraded to python3
- Support for the analysis of MTA-STS
- Added support for additional DNSSEC algorithms
- New scoring function considering the specific policies deployed in the SPF and DMARC standards.
The mecsa-st tool requires Python 3 and the following python libraries: py3dns, pyopenssl, urllib3, pyspf, ipaddr, pycryptodome, requests, ECPy and the new version of dnspython (available in git).
Mecsa-st has been tested in a Linux environment, although it should also work in windows and mac environments, provided that the parameter -c is used to indicate the file containing the list of trusted CAs as concatenated .pem certificates. By default, the file is taken from /etc/ssl/certs/ca-certificates.crt.
Installation Steps
Clone the official mecsa-st git repository:
git clone https://github.com/mecsa/mecsa-st.git
Install python3
sudo apt-get update
sudo apt-get install python3 python3-pip python3-venv
Create and activate a Python 3 Virtual Environment to run mecsa-st
cd mecsa-st
python3 -m venv mecsa-st_venv
source mecsa-st_venv/bin/activate
Install required libraries using pip
pip install wheel
pip install --upgrade pip
pip install py3dns pyopenssl urllib3 pyspf ipaddr pycryptodome requests ECPy abnf dnspython
Usage
Quick usage (remember to activate the python3 venv):
(mecsa-st_venv) python mecsa-st.py <domain-to-test>
Full usage syntax:
usage: mecsa-st.py [-h] [-l LOG] [-c CERTIFICATES] [-v6] domain
MECSA Standalone Test
positional arguments:
domain domain to test
optional arguments:
-h, --help show this help message and exit
-l LOG, --log LOG specify path and name of logfile. Default is mecsa-st.log
-c CERTIFICATES, --certificates CERTIFICATES specify path from where to load the CA certificates. Default is '/etc/ssl/certs/ca-certificates.crt'
-v6, --ipv6 specify whether IPv6 addresses of the MX hosts should be checked along with IPv4. Default is IPv4 only. If the local host does not support IPv6, the IPv6 tests will time out.
- StartTLS: A DNS request is performed to retrieve all MX records of the domain tested. For each MX, an SMTP connection is established and a TLS communication channel is negotiated. If successful, the provided server certificate and the intermediate certificates are downloaded.
- RequireTLS: During the establishment of the SMTP connection (see above) it is checked whether the REQUIRETLS SMTP service extension is announced (in the form of the EHLO keyword value "REQUIRETLS"). This extension specifies that a message must be sent over a TLS communication channel.
- TLS Reporting: This mechanism allows sending domains to report failures on communications among SMTP Mail Transfer Agents (MTAs). Recipient domains can use a DNS TXT record to indicate where TLS RPT reports should be sent. First the existence of the DNS TXT record is checked, followed by its syntax validation.
- x509 Certificate Validation: The following tests are executed to validate the x509 certificates:
- Full certificate chain of trust validation (digital signatures).
- Check that root CA signing the certificate is trusted. The list of trusted CAs is loaded from the file indicated as parameter -c. If no file is specific, the default is /etc/ssl/certs/ca-certificates.crt (file with concatenated .pem certificates)
- Check that the CN or SAN of the certificate matches the FQDN (Full Qualified Domain Name) it refers to (MX records).
- Check that the certificate is not expired.
- Check that the certificate has not been revoked (CLR).
- SPF: Validate that a DNS SPF record exists, test that the syntax is correct and check the default policy value (parameter "all").
- DKIM: Check for evidence of the existence of a DKIM DNS record by sending a DNS request to the authoritative DNS servers for the domain tested (NS records), requesting the URL domainkey.somedomain. If the NS servers follow the DNS standard and the domain supports DKIM, the NS should answer NOERROR, otherwise, it should answer NXDOMAIN.
- DMARC: Validate that a DNS DMARC record exists, test that the syntax is correct and check the policy value (parameter p=).
- DANE: Validation of DANE records for each MX (if they exist). This test is independent from the DNSSEC test.
- DNSSEC: Given the email domain domain_test the DNSSEC assessment requires answering the following questions
- Is domain_test protected by DNSSEC?
- Are the TXT records of domain_test protected by DNSSEC? (only if SPF is present)
- Are the TXT records of _dmarc.domain_test protected by DNSSEC? (only if DMARC is present)
- Are the Mail Exchanger (MX) records of domain_test protected by DNSSEC?
- For each MX, is the MX domain name protected by DNSSEC?
- For each MX, are the TLSA records of the MX domain name protected by DNSSEC?
- MTA-STS: This validation is executed in three steps
- Validate the existence and syntax of a DNS record of type TXT on the domain _mta-sts.domain_test.
- Retrieve the policy from the URL mta-sts.domain_test/.well-known/mta-sts.txt using an https request and perform a syntax check.
- Validate that for each MX hostname the hostname matches the policy retrieved.
In addition to the technical results of the analysis, mecsa-st provides an accessible and easy to understand summary of the results scoring the email service analysed in the following categories: confidentiality, authenticity (protection against phishing and identity theft) and integrity.
-
Confidentiality: Evaluates the capacity to protect the incoming/outgoing email communications, from being read by third parties that could be listening the communication channel or impersonating the recipient. The protocols that MECSA uses to score this category are StartTLS, x509, DANE, DNSSEC and MTA-STS.
-
Phishing and Identity Theft: Measures the capacity of email providers to facilitate the identification of email messages sent from unauthorized third parties. In particular, MECSA uses SPF, DKIM, DMARC, and DNSSEC to evaluate this category.
-
Integrity: Evaluates the capacity to facilitate the detection of modified messages (content received differs from content sent), and the generation of evidence that messages have not been modified. The security standards that MECSA applies to score this category are DKIM, DMARC and DNSSEC
The score value assigned to each category depends on which email security protocols are supported by the email provider tested, the specific way in which they are implemented and the policies deployed. This relation can be modified through a .json file (commons/scoring.json). The specific score value will be calculated on the basis of the combination of supported protocols and policy evaluations described in this file.
It is important to note that given the limitations of mecsa-st, the command line version of MECSA, the score values obtained here will not be aligned by those provided in the online MECSA. As explained above in this README, this is because the online MECSA service provides a more exhaustive security analysis of the communications considering not only the email inbound services (email reception) but also the outbound ones (email delivery).
This project is licensed under the EUPL 1.2 License - see the LICENSE file for details
The file public_suffix_list.dat is licensed under the Mozilla Public License v2.0