[Ach] SMTP client mode ciphers

christian mock cm at coretec.at
Tue Nov 19 12:10:32 CET 2013

On Mon, Nov 18, 2013 at 06:51:00PM +0100, Pepi Zawodsky wrote:
> I second the motion for explanations why the distinction between SMTP and Submission is necessary. Many Mailservers accept MUA/MTA connections on 25 and still do not use submission.
> It might be an excellent opportunity to bring this infrastructure to use 587 with mandatory TLS and authentication and only accept MTA/MTA on 25/465 with opportunistic TLS.
> This would also fit the best-practice efforts.

IMHO there's a very compelling argument: on port 25 you must use
"better than plaintext" crypto, i.e. offer as broad a selection of
ciphersuites as possible.

That brings a risk when you also allow with AUTH LOGIN/AUTH PLAIN on
port 25.

So we definitely should recommend:

- no auth on 25
- strong ciphers, auth on 587
- make sure your mail server can be configured to not offer auth until
  after STARTTLS


Christian Mock                          Wiedner Hauptstr. 15
Senior Security Engineer                1040 Wien
CoreTEC IT Security Solutions GmbH      +43-1-5037273
FN 214709 z

CoreTEC: Web Application Audit - Damit so etwas nicht passiert!



More information about the Ach mailing list