[Ach] Fwd: E-Mail Protocol Security Measurements

Sebastian sebix at sebix.at
Tue Jul 28 13:21:30 CEST 2015 

Hi,

On 07/28/2015 11:11 AM, Dahlberg, David wrote:
> Am Montag, den 27.07.2015, 21:44 +0200 schrieb Aaron Zauner:
>>  * RC4 support is at about 83-85%
>
> Well, until we decide globally not to accept any unencrypted e-mail
> traffic any more, the decision is usually whether to accept RC4/old
> -SSL/whatever or to fall back to plaintext.
We need to get reasonable defaults default configs in server and client
software. AFAIK one of the primary goals of bettercrypto is to become
obsolete.
>>  * a huge number of servers offer AUTH PLAIN (some without STARTTLS)
>
> Where do you see the problem (with STARTTLS)?
>
> ACH recommends AUTH PLAIN over STARTTLS and most other authentication
> schemes require you to store the password rather than the hash.
A hashed password over a secure channel is still more safe than an
unecrypted password on a secure channel. In case of vulnerabilities in
the servers software or an successful MITM attack, Eve has the plain
password. An encrypted pw is still useless.

However, some conditions may prevent you from using hashed passwords,
e.g. the usage of PAM for authentication, as in my case.
>> If you have any questions regarding any of our scans or need data
>> points
>> for your drafts, recommendations or any current work - we'd be happy
>> to
>> help you out there as best as we can.
>
> Maybe you should have a look at how many of the servers that support
> SMTPS do not support STARTTLS on port 25 (MTA) or 287 (MSA)? Or put
> differently: Is there still any valid reason to offer 465? According to
> my limited experience there isn't. But OTOH I do not run a big mail
> provider.
>
> ACH gives SMTPS configuration examples only for exim, but not for
> Postfix. If it could be proved that there are indeed no MTAs that
> support 465, but no 25/STARTTLS, I would recommend removing 465 from
> the exim config.
Either we remove it, or we add it to postfix and add a note in the text
and in the conf file that 465 is deprecated.
But stats would be nice, if it's possible to get them.

-- 
python programming - mail server - photo - video - https://sebix.at
To verify my cryptographic signature or send me encrypted mails, get my
key at https://sebix.at/DC9B463B.asc and on public keyservers.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://lists.cert.at/pipermail/ach/attachments/20150728/2684c97d/attachment.sig>

More information about the Ach mailing list