[Ach] SMTP client mode ciphers
christian mock
cm at coretec.at
Tue Nov 19 12:10:32 CET 2013
On Mon, Nov 18, 2013 at 06:51:00PM +0100, Pepi Zawodsky wrote:
> I second the motion for explanations why the distinction between SMTP and Submission is necessary. Many Mailservers accept MUA/MTA connections on 25 and still do not use submission.
> It might be an excellent opportunity to bring this infrastructure to use 587 with mandatory TLS and authentication and only accept MTA/MTA on 25/465 with opportunistic TLS.
>
> This would also fit the best-practice efforts.
IMHO there's a very compelling argument: on port 25 you must use
"better than plaintext" crypto, i.e. offer as broad a selection of
ciphersuites as possible.
That brings a risk when you also allow with AUTH LOGIN/AUTH PLAIN on
port 25.
So we definitely should recommend:
- no auth on 25
- strong ciphers, auth on 587
- make sure your mail server can be configured to not offer auth until
after STARTTLS
cm.
--
Christian Mock Wiedner Hauptstr. 15
Senior Security Engineer 1040 Wien
CoreTEC IT Security Solutions GmbH +43-1-5037273
FN 214709 z
.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.
CoreTEC: Web Application Audit - Damit so etwas nicht passiert!
http://heise.de/-1260559
.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.
More information about the Ach
mailing list