[Ach] Fwd: E-Mail Protocol Security Measurements

Dahlberg, David david.dahlberg at fkie.fraunhofer.de
Tue Jul 28 11:11:01 CEST 2015

Am Montag, den 27.07.2015, 21:44 +0200 schrieb Aaron Zauner:
>  * RC4 support is at about 83-85%

Well, until we decide globally not to accept any unencrypted e-mail
traffic any more, the decision is usually whether to accept RC4/old
-SSL/whatever or to fall back to plaintext. 

>  * ~60% of certificates are self-signed

Maybe that changes a bit with the roll-out of Let's Encrypt. But as the
CA-System is broken anyway ...

What would be interesting to see is how many of those self-signed
certificates are backed with DANE. Probably not a lot. But if you
collect this datum, it could provide you a baseline for future

>  * a huge number of servers offer AUTH PLAIN (some without STARTTLS)

Where do you see the problem (with STARTTLS)?

ACH recommends AUTH PLAIN over STARTTLS and most other authentication
schemes require you to store the password rather than the hash.

>  * RC2-CBC-MD5 is supported by 40% of SMTP servers we've studied,
>  * IDEA-CBC-MD5 by 14%
> We've also found 5-6% support of export ciphers in these protocols.

If also seen a few servers, that /only/ support export ciphers #-(

> If you have any questions regarding any of our scans or need data
> points
> for your drafts, recommendations or any current work - we'd be happy 
> to
> help you out there as best as we can.

Maybe you should have a look at how many of the servers that support
SMTPS do not support STARTTLS on port 25 (MTA) or 287 (MSA)? Or put
differently: Is there still any valid reason to offer 465? According to
my limited experience there isn't. But OTOH I do not run a big mail

ACH gives SMTPS configuration examples only for exim, but not for
Postfix. If it could be proved that there are indeed no MTAs that
support 465, but no 25/STARTTLS, I would recommend removing 465 from
the exim config.


David Dahlberg     

Fraunhofer FKIE, Dept. Communication Systems (KOM) | Tel: +49-228-9435-845
Fraunhoferstr. 20, 53343 Wachtberg, Germany        | Fax: +49-228-856277

More information about the Ach mailing list