[Ach] Fwd: E-Mail Protocol Security Measurements
Sebastian
sebix at sebix.at
Tue Jul 28 22:29:01 CEST 2015
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On 07/28/2015 09:21 PM, micah wrote:
> Aaron Zauner <azet at azet.org> writes:
>
>>> Maybe you should have a look at how many of the servers that support
>>> SMTPS do not support STARTTLS on port 25 (MTA) or 287 (MSA)? Or put
>>> differently: Is there still any valid reason to offer 465? According to
>>> my limited experience there isn't. But OTOH I do not run a big mail
>>> provider.
>>
>> 465 has been deprecated by IANA back a long time ago ('98 if I remember
>> correctly). You should use 587.
>>
>> Implicit TLS is still a better choice than STARTTLS im my opinion
>> (stripping, filtering..).
>
> I dont understand why both XMPP and SMTP decided to go the route of
> deprecating tls-wrapped options and instead only do STARTTLS. This seems
> like a wrong approach.
>
> Even though 465 was deprecated by the IANA a long time ago, its still
> widely used for wrapped TLS. In fact, I use it for that purpose because
> I dont want to support a downgrade attack STARTTLS option.
In either case you don't know if the other server supports it, in case
you never connected to that particular host. The problem is the same IMHO.
You can ask an authority (DNS or other lists), which server should
support SMTPS or STARTTLS. But then you have the authority problem like
with CAs.
One possibility is to remember what the server supported last time. The
similar approach like CertPatrol. But again that's no real solution.
Implementing/deploying TLS wrappers is easier than STARTTLS, yes
>
> _______________________________________________
> Ach mailing list
> Ach at lists.cert.at
> http://lists.cert.at/cgi-bin/mailman/listinfo/ach
>
> --
> python programming - mail server - photo - video - https://sebix.at
> To verify my cryptographic signature or send me encrypted mails, get my
> key at https://sebix.at/DC9B463B.asc and on public keyservers.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)
iQIcBAEBCAAGBQJVt+YMAAoJEBn0X+vcm0Y7PfkP/3kMnDrqWsV+ybXLUNEmA3nD
xw6bxG3N79yLg9ZaYUhLBPIhOZ2cshVq/JJ4nGyXwurlwTvuBglFA1qX3n018Y48
P6ZI44GjHPGLNmB7xybe2vTUyWrcpsp7hMhOcquwWHVam7r4hUKZInYPE4bWCYY+
38V0kRJJQcexAtwe9l5F8+PVmFkNab+St2dpQQuBCaSmNqtfgwX6DX7T/5iEamdH
q0pgSa67VvMWqPMBO5MNnRLkBdt2xTGxaObvcakYdRxelMIBY+r85nO5JNRulHBU
Vp4VCFcy1NBa9XbhunBUN8zX2TQN9zGnpwj89+Q3GT9fx2vKon5i/LozWiVvEcu5
agbucjwpyMJ5KeMHyBcEAZB5e5yMkdDI4xj48XqVv/l+2BqVf/yymocE88RaCG92
fU56BmJIhqAZIuEt9tYt6ixb7XT43j1cUK2OrqCFgmXu6uDdjjNFtxpMAwda9QmN
p0vYR48Xc1MM6BIgPwVKjIj2j67ay3YhIOxrV9OUDXHx9TW+NTDQMTJ57/KXMj4I
yqV9V6siixywA7VukF2zhhq6Y8ClGPl2r7YeexP+FEwSiWXB8l/BTwEhQIX7Ttl/
U4nbbQuEw09Z/JHAL+hHX/kqQNNpzyT6E/DDR5r7+gxTUVoPS//PFQqD+wZ88JeU
oH6PtJfdgtYM/1iLMwyb
=Ar8q
-----END PGP SIGNATURE-----
More information about the Ach
mailing list