[Ach] SMTP client mode ciphers
cm at coretec.at
Tue Nov 19 14:02:40 CET 2013
On Tue, Nov 19, 2013 at 12:55:32PM +0100, Wolfgang Breyha wrote:
> christian mock wrote, on 19.11.2013 12:10:
> > So we definitely should recommend:
> > - no auth on 25
> > - strong ciphers, auth on 587
> > - make sure your mail server can be configured to not offer auth until
> > after STARTTLS
> I started a "SMTP in general" chapter yesterday night, but didn't finish it
> for a final push. I tried to describe the three modes we discussed and what
> the recommended steps are to get a decent configuration for every mode.
> I would also recommend to separate MSA from MX at least by listening on
> different IPs. That's way better than "no auth on 25" since most MUAs still
So we'd agree "no auth on the MX server:port"?
> use that as default, since most servers still don't offer port 587. *sigh*
> And it gives way better options to filter spam differently, too.
IME, MUA configuration is a pain in the ass anyways, I don't think we
can make that any more harder.
> If that's not possible your list looks fine, but I think it's pretty difficult
> or impossible to configure some parts in certain MTAs. It is possible with
> Exim, but not an easy task.
Shall we link to good HOWTOs for the basic task of splitting MX/MSA,
and just focus on "do that!" and the crypto part?
> The problem I see is that the SMTP chapter will get rather large and complex
> compared to every other topic. Don't know if this is intended.
I think it's important to get people to use the available features.
Still way to many MXen offering no opportunistic TLS, and too many
MSAs offering no encryption.
> Unfortunately I can't continue writing this chapter until Thursday evening.
Is the current state in any way push-able? Then please do...
Christian Mock Wiedner Hauptstr. 15
Senior Security Engineer 1040 Wien
CoreTEC IT Security Solutions GmbH +43-1-5037273
FN 214709 z
CoreTEC: Web Application Audit - Damit so etwas nicht passiert!
More information about the Ach