[Ach] SMTP client mode ciphers

christian mock cm at coretec.at
Tue Nov 19 14:02:40 CET 2013 

On Tue, Nov 19, 2013 at 12:55:32PM +0100, Wolfgang Breyha wrote:
> Hi!
> 
> christian mock wrote, on 19.11.2013 12:10:
> > So we definitely should recommend:
> > - no auth on 25
> > - strong ciphers, auth on 587
> > - make sure your mail server can be configured to not offer auth until
> >   after STARTTLS
> 
> I started a "SMTP in general" chapter yesterday night, but didn't finish it
> for a final push. I tried to describe the three modes we discussed and what
> the recommended steps are to get a decent configuration for every mode.
> 
> I would also recommend to separate MSA from MX at least by listening on
> different IPs. That's way better than "no auth on 25" since most MUAs still

So we'd agree "no auth on the MX server:port"?

> use that as default, since most servers still don't offer port 587. *sigh*
> And it gives way better options to filter spam differently, too.

IME, MUA configuration is a pain in the ass anyways, I don't think we
can make that any more harder.

> If that's not possible your list looks fine, but I think it's pretty difficult
> or impossible to configure some parts in certain MTAs. It is possible with
> Exim, but not an easy task.

Shall we link to good HOWTOs for the basic task of splitting MX/MSA,
and just focus on "do that!" and the crypto part?

> The problem I see is that the SMTP chapter will get rather large and complex
> compared to every other topic. Don't know if this is intended.

I think it's important to get people to use the available features.
Still way to many MXen offering no opportunistic TLS, and too many
MSAs offering no encryption.

> Unfortunately I can't continue writing this chapter until Thursday evening.

Is the current state in any way push-able? Then please do...

cm.

-- 
Christian Mock                          Wiedner Hauptstr. 15
Senior Security Engineer                1040 Wien
CoreTEC IT Security Solutions GmbH      +43-1-5037273
FN 214709 z

.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.
CoreTEC: Web Application Audit - Damit so etwas nicht passiert!

http://heise.de/-1260559

.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.

More information about the Ach mailing list