Flag Mails received with TLS or IPv6

Flags in Thunderbird

Flags in Thunderbird

I just wondered how wide spread IPv6 and TLS are when receiving e-mails, so I wanted to quickly see which kind of transport an incoming mail used. I wanted to see it directly when it hits my inbox, so I adding a tag to the mail would be a sensible approach.

Since I’m running a quite common setup with Postfix, Dovecot and the usual stuff connecting into those two daemons, it wasn’t much work to do it.

Dovecot has the ability to filter and sort mails directly on the server using sieve. I have sieve up and running to sort mails from mailinglists into their corresponding folders and do stuff like that.

The best way to find out how an e-mail was received is to look at the „Received“ header:

Received: from sender.domain.invalid (sender.domain.invalid [IPv6:2001:db8:cofe::1])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by receiver.otherdomain.invalid (Postfix) with ESMTPS id 01D2C3E4A02
 for <nico@otherdomain.invalid>; Sun, 11 Jan 2015 17:24:17 +0100 (CET)

The header spreads across multiple lines and with (usually) tabs infront of the new ones. It tells us that the sending Mailserver was using IPv6 and TLS. Of course, sender.domain.invalid and receiver.otherdomain.invalid are only to demonstrate it. In reality, there should be your domain and the sender’s one.

Automatically detecting IPv6 is not so simple as one might think, the „Received“ line must include „IPV6:“ in it. But also, you want to make sure that it is only a hit, when the message was received by you via IPv6, not by one of the mailservers it might have passed earlier on its way through the internet.

There is a handy tool called regexr.com, where you can built and test regular expressions. It took me some minutes to make it work, without having long expression The IPv6 one can be seen here. You need to paste the received header from above, to see it work.

(from).+\[IPv6:.*(\s.*)*(by receiver\.otherdomain\.invalid)

First, we filter for „from“ and „IPv6:“ (the colon just to make sure that we don’t hit in a possibly wrong hostname) in one line, then after some more lines we filter on the receiving mailserver.

Of course, the sieve regex implementation has its own flavour of regular expressions, explained here, so I had to do some modifications to use them with sieve.

The TLS regex was on the same level of complexity. It’s that piece of regex.

(from).+\s+\(using TLS.*(\s.*)*(by receiver\.otherdomain\.invalid)

It also hits on „from“ but then searched fot the TLS header. Again, it also matches the receiving servers hostname. Sinve SSLv3 is broken and should not be used, I to only match TLS.

As linked earlier, the sieve regex has some own ways to find whitespaces or newlines, so have a look at the linked document, if you want to build your own expressions.

I did not want to modify the message but wanted to see the flags on a first glance, I did not want to add a pre- of suffix to the subject. I instead decided to use the colour flags Thunderbird can display. I do not use them normally so they are a good fit for that task. They can easily be removed afterwards, when stuff gets boring and everyone uses IPv6 and TLS 😉

The dovecot wiki lists the lables and the corresponding colours. I chose green for TLS and blue for IPv6. Usually they are used for „Personal“ and „ToDo“

To do the filtering, your sieve instructions file must require the modules „imap4flags“ and „regex“, otherwise it won’t work. My sieve config is like the following (but much longer with a lot more rules):

require ["imap4flags","regex"];
 # rule:[TLSTest]
 if header :regex "received" "(from).+[[:space:]]+\\(using TLS.+([[:space:]]*.*)*(by receiver\\.otherdomain\\.invalid)"
 addflag ["$label3"];
 # rule:[IPv6Test]
 if header :regex "received" "(from).+\\[IPv6:.*([[:space:]]*.*)*(by receiver\\.otherdomain\\.invalid)"
 addflag ["$label4"];

These regexes work quite well for me. You need to replace the domain „receiver.otherdomain.invalid“ with the one your mailserver uses. Until now, I had no false-negatives or false-positives. I’m not sure what happens when TLS is in one Received header, and my hostname in another. I think that sieve checks them one by one but did not challenge that. The one by one checking would make sense because the regex itself is only executed for „received“ headers, as you can see in the sieve rules.

Of course, other sieve plugings like fileinto“ can move mails to differend locations but I just wanted to observe the Mails coming into my inbox, with the new flag.

Mail with Flags

Mail with Flags

I renamed the two flags (or tags, as they are called in Thunderbird), just to have it a bit less tidy in my inbox.

How far TLS and IPv6 are spread. Right now I see a lot of TLS but nealy no IPv6, only from RaumZeitLabor and folks sorrounding it.