Technical Discussion
  >> Security Related Issues


Register (or login) on our website and you will not see this ad.


  Print Thread
Standard User RobertoS
(elder) Fri 28-Apr-17 19:20:07
Print Post

Nomx - so who is right?


[link to this post]
 
A BBC Click investigation has thrown doubt on claims that the small, personal email server Nomx can provide "absolute security".

Created by entrepreneur Will Donaldson, Nomx says it uses the "world's most secure communications protocol" to protect email messages.

But security analysts cracked the device's simple passwords and hacked its hardware and software.
...
The investigation started by taking the device apart to find that it was built around a £30 Raspberry Pi computer.
...
The BBC Click show dedicated to this investigation will air on 29 April on the BBC News Channel and iPlayer, where it will also be available afterwards.
BBC link to the above.
•UK blogger makes false claims he can access nomx remotely
•UK blogger fails to access nomx remotely

nomx is pleased to provide the following details regarding testing recently performed by a private cybersecurity blogger who claimed he could access any nomx device and that he could do so in minutes.
...
In 2016 nomx produced a number of devices based on a Raspberry Pi.
...
In January 2017 the BBC was provided a demo device for use in a forthcoming episode focused on personal security. The BBC later requested another device and that too was a Raspberry model.
...
After multiple statements about the lack of security of nomx, the blogger failed to prove any such vulnerability and indeed, failed in his accusations that he could penetrate nomx in any way.
...
While nomx is no longer based on Raspberry devices, we still maintain that the users' data is secured as we’ve demonstrated to the blogger, the media and our customers.
LInk.

My broadband basic info/help site - www.robertos.me.uk. Domains, site and mail hosting - Tsohost.
Connection - AAISP Home::1 80/20. Sync 65273/13554Kbps @ 600m. BQMs - IPv4 & IPv6
Standard User caffn8me
(eat-sleep-adslguide) Sat 29-Apr-17 14:21:08
Print Post

Re: Nomx - so who is right?


[re: RobertoS] [link to this post]
 
You'll get a much better insight by reading Scott Helme's fascinating report at https://scotthelme.co.uk/nomx-the-worlds-most-secure...

I think it's absolutely accurate to say that nomx is not a communications protocol in the accepted sense of the term. It uses standard SMTP but on a different TCP port (26 rather than 25) and it uses standard dns protocol to set its hostnames.

It's also fair to say it doesn't seem to be secure.

I would describe the whole system as a hideous kludge.

Sarah

--
If I can't drink my bowl of coffee three times daily, then in my torment, I will shrivel up like a piece of roast goat

Spiders on coffee - Badass spiders on drugs
Standard User RobertoS
(elder) Sat 29-Apr-17 14:34:54
Print Post

Re: Nomx - so who is right?


[re: caffn8me] [link to this post]
 
smile
I read that before my OP, but thanks in case I hadn't. It's linked to in the BBC article.

It's not a topic I'm qualified to give opinion on, which is why I asked. What you say is the impression I got. Though what is in the current model is another question. Stab 2, having found the "Proof of concept" Stab 1 was only partially successful.

I'll stick with paying a dedicated mail host with my own router firewall and Kaspersky IS wink.

My broadband basic info/help site - www.robertos.me.uk. Domains, site and mail hosting - Tsohost.
Connection - AAISP Home::1 80/20. Sync 64784/13768Kbps @ 600m. BQMs - IPv4 & IPv6


Register (or login) on our website and you will not see this ad.

Standard User caffn8me
(eat-sleep-adslguide) Sat 29-Apr-17 15:16:10
Print Post

Re: Nomx - so who is right?


[re: RobertoS] [link to this post]
 
Mail server security is something I do have more than a passing interest in. I've now got to the stage where almost all spam is correctly rejected by my mail servers with virtually no false positives smile

Sarah

--
If I can't drink my bowl of coffee three times daily, then in my torment, I will shrivel up like a piece of roast goat

Spiders on coffee - Badass spiders on drugs
Standard User Michael_Chare
(fountain of knowledge) Sun 30-Apr-17 11:44:06
Print Post

Re: Nomx - so who is right?


[re: caffn8me] [link to this post]
 
One of the issues was that they are using a not very up-to-date version of Postfix, and there did not appear to be a procedure for updating it. It was not very clear to me how you could receive emails without configuring your router to forward incoming emails for port 25 to port 26 of the Nomx. I am not sure how you could access you emails remotely without configuring more port forwarding on your router.

I also don't think that Postfix does any spam filtering, as you might expect from an ISP email system.

Michael Chare

Edited by Michael_Chare (Sun 30-Apr-17 11:48:20)

Standard User caffn8me
(eat-sleep-adslguide) Sun 30-Apr-17 17:27:56
Print Post

Re: Nomx - so who is right?


[re: Michael_Chare] [link to this post]
 
In reply to a post by Michael_Chare:
One of the issues was that they are using a not very up-to-date version of Postfix, and there did not appear to be a procedure for updating it. It was not very clear to me how you could receive emails without configuring your router to forward incoming emails for port 25 to port 26 of the Nomx. I am not sure how you could access you emails remotely without configuring more port forwarding on your router.

I also don't think that Postfix does any spam filtering, as you might expect from an ISP email system.
nomx, as I understand it, doesn't communicate on TCP port 25 when configured as directed so you can't receive regular email with it. It communicates with other nomx devices on TCP port 26 and you have to tell it the IP address of other nomx users you want to communicate with. As outlined in Scott Helme's article, this introduces problems of its own.

It seems there's nothing stopping someone making a direct SMTP connection to TCP port 26 to send email from a non-nomx device as all the protocols it uses are standard. I have no doubt that nomx devices can be found listed in Shodan and other similar sites by doing a TCP port 26 search.

Given the vast number of TCP port 25 probes my firewall logs for IP addresses which don't run SMTP and aren't an MX listed host, I'd be very sceptical that simply having no MX record is a very effective security solution for hiding mail servers.

If you make an SMTP connection to a nomx box on TCP port 26, the nomx box will reply with its hostname - which very likely includes the domain it handles mail for, although I'm not going to buy a nomx box to test this.

Postfix in its native state has no spam filtering, as you say, but can be configured to use external spam scoring and filtering programmes, just as other mail servers can. Zen Internet, for example, uses Exim as its mail server with Spamassassin.

I do use quite a few different techniques to help with spam filtering and I also run my mail servers behind a firewall SMTP proxy which strips out invalid commands and also hides the MTA version information.

Sarah

--
If I can't drink my bowl of coffee three times daily, then in my torment, I will shrivel up like a piece of roast goat

Spiders on coffee - Badass spiders on drugs
  Print Thread

Jump to