Stories
Slash Boxes
Comments

SoylentNews is people

posted by martyb on Monday November 02 2015, @01:19PM   Printer-friendly
from the ask-and-ye-might-not-receive dept.

http://arstechnica.com/security/2015/10/dont-count-on-starttls-to-automatically-encrypt-your-sensitive-e-mails/

This isn't really new news, but improperly configured mail services result in lots of privacy holes across the Internet.

STARTTLS is used to upgrade an unencrypted connection to an encrypted SSL/TLS connection. The problem is that if the upgrade fails, many mail clients will proceed to send mail on the unencrypted connection.

For any sysadmins (technical info):

Unfortunately, the situation is somewhat sticky. I suggest reading carefully the TLS/SSL section of https://wiki.debian.org/PostfixAndSASL as well as the STARTTLS RFC http://tools.ietf.org/html/rfc2487

Public email servers should not require STARTTLS (that is, encryption) on port 25 (smtp). Furthermore, there is no guarantee that all of the mail servers during transit of an email use encryption. Thus, you should assume your email is transmitted unencrypted, until a better solution emerges. You can always use OpenPGP to encrypt the body of your email, which should become commonplace shortly after Hurd achieves market dominance.


Editors Note: How to articles for various flavors of Microsoft Exchange can be found at MSExchange.org.

Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 5, Informative) by frojack on Monday November 02 2015, @04:23PM

    by frojack (1554) on Monday November 02 2015, @04:23PM (#257565) Journal

    We covered this quite extensively, some months ago.

    At the time the story was about some ISPs stripping off the indication that the sender requested STARTTLS, or that the smpt server supported it, causing the mail to be transported in the clear.

    But STARTTLS has always been simply a request, and not a demand, and even the relevant RFC states it is not mandatory. (Yean, I got modded to hell for pointing that out back then too).

    If you use secure imap, or secure pop, you connect via different ports (993 and 465) and encryption is not optional. Mail will either travel encrypted or not at all. Google, Yahoo, Apple, Yandex all use this method.

    At least for the first hop, mail and credentials are encrypted.

    --
    No, you are mistaken. I've always had this sig.
    Starting Score:    1  point
    Moderation   +3  
       Insightful=1, Informative=2, Total=3
    Extra 'Informative' Modifier   0  
    Karma-Bonus Modifier   +1  

    Total Score:   5  
  • (Score: 3, Interesting) by edIII on Monday November 02 2015, @08:08PM

    by edIII (791) on Monday November 02 2015, @08:08PM (#257662)

    Well, you're +4 Informative now.

    At least for the first hop, mail and credentials are encrypted.

    The reason why the next ones may not be as likely to be encrypted is backwards compatibility, and IMO, a paradigm that is to deliver the mail at nearly all costs. All of the timeouts, waits, and retries seem to be for a system that is not very robust or reliable at all. About the only thing that can take mail servers out for 4 days is DNS errors. Otherwise, setting up redundant mail servers isn't terribly difficult or expensive these days. I believe you could operate a 15 user mail server easily for $5/month probably. I'm spending $30, but that's redundant servers, proxies, and my extended family on it. The real problem I guess is that not many people get to far into SMTP/IMAP beyond simple web based wizard configurations, and completely forget to administrate at all.

    I don't even have the option to require all SMTP traffic to be encrypted, just that client connections be encrypted. It would take somebody like Google to start blocking all unencrypted mail traffic to their servers to make a real change. That might allow smaller entities the justification they need to adopt the same policy, which my current mail server doesn't even support *yet*. It's stupid, but I know it will effective to tell an executive, "But they can't email Google either. Of course it's their screw up".

    The times I've tried to really lock a mail server down, I always get 2 or 3 domains that are a nightmare of SMTP administration that require me to make exceptions. Like adding to white-lists (terrible practice), or water down the security by allowing improper rDNS values and mismatched banners.

    I've had a decent sized bank look no different than a Nigerian scammer as far as their mail server was concerned. Unencrypted, failed SPF, no reverse DNS, banner mismatches, you name it. If I can't lock down because a mail client needs access to their bank, how can I draw a line in the sand and demand encrypted everything to my server?

    We will see widespread encryption of the mail body before we see servers automatically encrypting emails between each other as a requirement.

    --
    Technically, lunchtime is at any moment. It's just a wave function.
    • (Score: 2) by frojack on Monday November 02 2015, @09:26PM

      by frojack (1554) on Monday November 02 2015, @09:26PM (#257696) Journal

      Unencrypted, failed SPF, no reverse DNS, banner mismatches,

      Its amazing how many places won't accept mail from Joe Random User. I end up forwarding all outbound through my hosting site, even though my MX points to my local Linux mail server for receipt. Even with a static IP and a certificate, some places will bounce your mail if your reverse even looks a little bit generic, and my current ISP will not let me control the reverse. The best they offer is a "BusinessClass" label in the reverse.

      As for encryption, there is something to be said for webmail. Its usually all HTTPS, and its the easiest way to have Mom's mail set up.

      I have opportunistic encryption set up on Thunderbird+Enigmail and it really isn't a problem to use. The Setup Wizard will pretty much do the whole thing these days, including setting up a key pair.

      --
      No, you are mistaken. I've always had this sig.
    • (Score: 0) by Anonymous Coward on Tuesday November 03 2015, @11:22PM

      by Anonymous Coward on Tuesday November 03 2015, @11:22PM (#258190)

      > I don't even have the option to require all SMTP traffic to be encrypted, just that client connections be encrypted.

      https://www.checktls.com/ [checktls.com]

      This site will at least let you test if the last outbound hop before delivery is encrypted. I found out that my hosting provider was not doing that despite accepting encrypted incoming smtp connections.