[Ach] Fwd: E-Mail Protocol Security Measurements

Aaron Zauner azet at azet.org
Tue Jul 28 14:52:44 CEST 2015


Dahlberg, David wrote:
> Maybe that changes a bit with the roll-out of Let's Encrypt. But as the
> CA-System is broken anyway ...
> What would be interesting to see is how many of those self-signed
> certificates are backed with DANE. Probably not a lot. But if you
> collect this datum, it could provide you a baseline for future
> comparisons.

It depends on the protocol but it's not easy to collect DNS related data
on pure IP scans. With DNS round-robin, load balancers, large
multi-server infrastructures and all of it would be handwaving to infer
anything based on reverse DNS resolution.

We're not scanning based on host lists, we're scanning based on (all v4)
IP addresses.

Also; although the DANE spec is pretty nice - I don't see DNSSEC as a
viable alternative to the CA infrastructure we have currently. I'd
rather see public key pinning and certificate transparency, at least
there's some hope for reasonable deployment.

Unfortunately TACK (tack.io) is pretty much dead and there is zero
interest within IETF in reviving it (there's like 4-5 other people and
myself but that's it as far as I can tell).

> Where do you see the problem (with STARTTLS)?
> ACH recommends AUTH PLAIN over STARTTLS and most other authentication
> schemes require you to store the password rather than the hash.

Sebastian explained that already to some extent. Of course the numbers
of hosts without STARTTLS support announcing AUTH PLAIN are more

> Maybe you should have a look at how many of the servers that support
> SMTPS do not support STARTTLS on port 25 (MTA) or 287 (MSA)? Or put
> differently: Is there still any valid reason to offer 465? According to
> my limited experience there isn't. But OTOH I do not run a big mail
> provider.

465 has been deprecated by IANA back a long time ago ('98 if I remember
correctly). You should use 587.

Implicit TLS is still a better choice than STARTTLS im my opinion
(stripping, filtering..).

> ACH gives SMTPS configuration examples only for exim, but not for
> Postfix. If it could be proved that there are indeed no MTAs that
> support 465, but no 25/STARTTLS, I would recommend removing 465 from
> the exim config.

Thanks for the feedback. I'm no authority on that. We see a huge number
of hosts still running mail services these legacy ports.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <http://lists.cert.at/pipermail/ach/attachments/20150728/2f307efc/attachment.sig>

More information about the Ach mailing list