Disclaimer: This blog is for educational purpose only!!!
In this blog we will demonstrate how unencrypted email traffic can sniff using Wireshark. To show practically we have setup mail server using dovecot with using protocol IMAP/POP3 and GUI based on SquirrelMail.
SMTP (Simple Mail Transfer Protocol):
Emails are sent using SMTP protocol. Emails can be sent by using SquirrelMail client to a server or by a server to another server. The TCP port used is 25. It is a text-based, connection-oriented protocol. It establishes the guidelines for server communication. The use of this protocol allows for certain error handling techniques. A server identifies itself and specifies the type of activity it intends to conduct in a typical SMTP transaction and the activity is approved by the other server, and then the message is sent. The servers now employ a slightly upgraded version of the SMTP protocol called ESMTP.
IMAP (Internet Message Access Protocol):
Internet Message Access Protocol is what it’s called. It is utilized to get emails from a mail server. The emails are kept on the mail server in an IMAP configuration. The ability to access the emails from several locations is a benefit of this. After reading the emails, the user has the option to delete them or keep them in the mailbox. Additionally, it supports offline mode, which enables modifications made while there is no internet to take effect after the server is reconnected. Additionally, it can be used with POP.
POP3 (Post Office Protocol):
Post Office Protocol is referred to as POP. Additionally, it is employed to get emails from a mail server. In contrast to IMAP, it downloads the files to the local computer and typically deletes the server-side email. As a result, relatively minimal server space is needed. The third iteration of this protocol is called POP3. It is intended to support processing of offline mail. Advanced collaborative tools like calendaring, contacts, and tasks are missing.
First we checked the Dovecot mail server is running or not on ubuntu VirtualBox.
Then we started the Wireshark to capture traffic before we login into mailserver through GUI based SquirrelMail.
We installed & configured “SquirrelMail” for easy interaction and used Dovecot Mail Server web GUI based through browser. Login to my dovecot mail server account through “SquirrelMail“.
Above is the screenshot after successfully login by the user “mailuser1“
Composing mail and sending to “mailuser2“.
Now login to user “mailuser2“
After successfully login by the user “mailuser2” we can check and read the mail came from user “mailuser1.
Now we are replying to “email@example.com” by clicking on “Reply” button.
Again login to user “mailuser1” and see if reply from “mailuser2” is received in “Inbox“.
We have captured all mailserver traffic through Wireshark now try to analyze packets and understand whether the email data passed in networks through SquirrelMail and Dovecot Mail Server are encrypted and secure or passed in plain text. If it is passed in plain text then any hacker can capture network traffic like we had done through Wireshark and can read the Login details, Mails and this is dangerous for any mail user.
We can see in the Wireshark that login details are going on network in plain text not encrypted.
Now we found an email from “mailuser1” to “mailuser2” passing in plain text on the network without any encryption which is very dangerous because any hacker can read email conversions between two users.
We found the packet of second user mailuser2 login details.
Now we try to find the second user “mailuser2” login details which we captured in Wireshark.
Now we try to find reply packet from “firstname.lastname@example.org” to “email@example.com“
Mail reply message also passing in network in plain text not encrypted which is very dangerous because any hacker can read email conversions between two users.
How to Prevent:
- Transfer SMTP traffic over SSL/TLS to protect it from being modified in the middle of transfer time.
- Dovecot mail server comes with generic SSL certificates and key files that are used in the “/etc/dovecot/conf.d/10-ssl.conf” . When a user tries to connect to dovecot server, it will show a warning because the certificates are not signed, you can purchase a certificate from a trusted certificate authority.