Solved

Help Analyzing Email Header Information

Posted on 2010-11-11
10
1,832 Views
Last Modified: 2012-06-21
Help.  I'm looking for a reality check here and was hoping you can help.  

We are working with a vendor that swears the following emails are being set to us encrypted and secure (it's confidential information that cannot be sent via Normal smpt traffic).   But the way I'm reading the header information, it looks like it was sent via normal smtp.

We use Postini as our spam filter, and do have a TLS route between Postini & My Mail Server.

smtp2.VENDOR-NetworkID.com resolves to VENDOR-IP-ADDRESS

It looks like based on this line that the mail is traveling via SMTP from the vendor to Postini.  

Received: from source ([VENDOR-IP-ADDRESS]) by exprodXXX.postini.com ([POSTINI-IP-ADDRESS]) with SMTP;

It looks like maybe there are secured hops but that main one to our Postini is unencrypted.


------------------------------------------------------------------

Microsoft Mail Internet Headers Version 2.0
Received: from psmtp.com ([MY-INTERNAL-SERVER-IP] RDNS failed) by MY-SERVER-NAME over TLS secured channel with Microsoft SMTPSVC(6.0.3790.4675);
       Tue, 27 Jul 2010 09:02:41 -0400
Received: from source ([VENDOR-IP-ADDRESS]) by exprodXXX.postini.com ([POSTINI-IP-ADDRESS]) with SMTP;
      Tue, 27 Jul 2010 08:02:39 CDT
X-IronPort-AV: E=Sophos;i="4.55,267,1278302400";
   d="pdf'?scan'208";a="73036257"
Received: from unknown (HELO LLLLLL.corpads.local) ([10.xx.xx.xxx])
  by smtp2.VENDOR-NetworkID.com with ESMTP; 27 Jul 2010 09:01:01 -0400
Received: from 10.xx.x.xxx by LLLLLL.corpads.local with ESMTP (Secure
 Mail SMTP Relay (Email Firewall v6.3.0)); Tue, 27 Jul 2010 09:02:26
 -0400

X-Server-Uuid: Cmmmmmmm-mmmmmmm-mmmm-mmmmmmmmmm
To: reciepients
cc: Carbons
MIME-Version: 1.0
Subject: Subject
X-KeepSent: 000000:00000:000000; type=4; name=$KeepSent
X-Mailer: Lotus Notes Release 8.0.2 August 07, 2008
Message-ID: <Cmmmmmmm-mmmmmmm-mmmm-mmmmmmmmmm@VENDOR.com>
From: sENDER
Date: Tue, 27 Jul 2010 09:02:20 -0400
X-MIMETrack: S/MIME Sign by Notes Client on sENDER-NAME
 (Release 8.0.2|August 07, 2008) at 07/27/2010 09:02:23
 AM, Serialize by Notes Client on MsENDER-NAME(Release
 8.0.2|August 07, 2008) at 07/27/2010 09:02:23 AM, Serialize complete at
 07/27/2010 09:02:23 AM, S/MIME Sign failed at 07/27/2010 09:02:23 AM:
 The cryptographic key was not found, Serialize by Router on
 VENDORM09/VENDOR(Release 8.0.2|August 07, 2008) at 07/27/2010 09:02:36
 AM
X-WSS-ID: 605007680Z0364924-01-03
Content-Type: multipart/mixed;
 boundary="=_mixed 0047A1598525776D_="
X-CFilter-Loop: Reflected
X-pstn-neptune: 0/0/0.00/0
X-pstn-levels:     (S:00.00000/00.00000 CV:99.9000 FC:00.0000 LC:00.0000 R:00.0000 P:00.0000 M:00.0000 C:00.0000 )
Return-Path: SENDER EMAIL
X-OriginalArrivalTime: 27 Jul 2010 13:02:41.0672 (UTC) FILETIME=[fffffff:000000]

--=_mixed 00000000000000000000_=
Content-Type: multipart/alternative;
 boundary="=_alternative 0047A1598525776D_="
Content-Transfer-Encoding: 7bit

--=_alternative 00000000000000000000_=
Content-Type: text/plain;
 charset=us-ascii
Content-Transfer-Encoding: 7bit

--=_alternative 00000000000000000000_=
Content-Type: text/html;
 charset=us-ascii
Content-Transfer-Encoding: 7bit


--=_alternative 00000000000000000000_=--
--=_mixed 000000000000000000000_=
Content-Type: application/octet-stream;
 name="ATTACHEMENTNAME.PDF"
Content-Disposition: attachment;
 filename="ATTACHEMENTNAME.PDF"
Content-Transfer-Encoding: base64


--=_mixed 00000000000000000000_=--
0
Comment
Question by:jmerulla
10 Comments
 
LVL 9

Expert Comment

by:avilov
ID: 34115240
i don't think you can always can see from headers if connections were encrypted or not.

to test that just download BLAT and send emails yourself thru postini with and without TLS

0
 
LVL 2

Author Comment

by:jmerulla
ID: 34115375
It's odd though.  No where in the email does it state that the email is encrypted like it was using Tumbleweek or Zix Corp.  

Plus it came into my user plan and open.  
0
 
LVL 9

Expert Comment

by:avilov
ID: 34115383
hm. looks like blat doesn't support TLS directly. it was a while since i used it, sorry. I forgot the name of small utility that I used for email tests like that. if you familiar with *nix you can use openssl
0
 
LVL 2

Author Comment

by:jmerulla
ID: 34115400
It's ok.  It's odd some of their encrypted items come through tumbleweed others don't.  
0
 
LVL 9

Expert Comment

by:avilov
ID: 34115429
I haven't been using postini for a while too, but i think you can configure it to enforce tls for domains you want
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 
LVL 2

Author Comment

by:jmerulla
ID: 34115491
It's not on my end.  I'm concerned that the vendor set it to us unsecured.
0
 
LVL 9

Assisted Solution

by:avilov
avilov earned 150 total points
ID: 34115529
i understand. i think you can configure postini to accept only TLS encrypted connection from domains of yuor choice. if that is true you will be sure that vendor sent it thru encrypted channel (at least to postini )) )
0
 
LVL 2

Author Comment

by:jmerulla
ID: 34115561
I can't do that plus it's up to the vendor to make sure this information is encrypted.  
0
 
LVL 46

Expert Comment

by:Sjef Bosman
ID: 34116149
> The cryptographic key was not found, Serialize by Router on
> VENDORM09/VENDOR(Release 8.0.2|August 07, 2008) at 07/27/2010 09:02:36 AM

The lines above suggest to me that the original message wasn't encrypted by the originating server. I suppose it means that that server doesn't have or cannot find your public key.
0
 
LVL 1

Accepted Solution

by:
KNolen earned 350 total points
ID: 34121755
I would guess that the vendor is confusing Lotus Notes/Domino encryption and secure SMTP transport. The Notes client/Domino server connection uses a separate protocol unique to this client/server relationship, and this protocol can be (and usually is) secured via encryption. But configuring SMTP on the Domino server to send encrypted messages to non-domain servers is a different matter. So I would guess that this hasn't been done and the vendor is confusing the two.
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Restrict Outlook Anywhere to Company Devices only 5 93
exchange and TLS 4 278
C# .Net Send Mail 5 51
Email Address Spoofed 8 65
What is Usenet? There are many different opinions on exactly what Usenet is an isn't. Many opinions are incorrect simply out of ignorance. The Wikipedia listing about Usenet does a good job of explaining it, so instead of repeating it all here I wi…
Resolve Outlook connectivity issues after moving mailbox to new Exchange 2016 server
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now