Re: [msmtp-users] [mpop-users] support SHA-2 and SHA-3

Thu, 14 Apr 2016 10:20:06 -0700 

Martin Lambers:
First, you need a convincing reason to add a feature; the lack of a convincing reason *not* to add it is not sufficient. 

Okay. I would use SHA-512 if I could use it. :)


For SHA-3, the same as above applies, but additionally msmtp/mpop 
should always use the appropriate GnuTLS (or OpenSSL) function to get a 
fingerprint and should never implement fingerprint calculation 
themselves. That can only lead to trouble.


I agree.


But msmtp/mpop do not do this: they will never fall back to 
unencrypted SMTP/POP.



Ah, I was not aware of the no-fallback. There have been quite a few 
cases of ISPs just filtering out "StartTLS" from Clients to MTAs:

https://www.techdirt.com/blog/netneutrality/articles/20141012/06344928801/revealed-isps-already-violating-net-neutrality-to-block-encryption-make-everyone-less-safe-online.shtml
http://www.heise.de/newsticker/meldung/Eingriff-in-E-Mail-Verschluesselung-durch-Mobilfunknetz-von-O2-206233.html


Proper TLS beats StartTLS hands-down.

I don't think that is true in general. Do you have any information that 
supports this claim?



Well one core-argument is the downgrade attack. But someone wrote more 
about it here: 
https://www.agwa.name/blog/post/starttls_considered_harmful



Msmtp should now default to the mail submission port 587, with TLS 
enabled (note that this *requires* STARTTLS). That would require 
changing the defaults for 'port' and 'tls'. For mpop, only the second 
applies.



I would welcome a change, but proposing SMTPS on Port 465 instead: 
again, no StartTLS. But our disagreement is not that relevant, because:



The problem is that 'tls on' as a default does not simply work, because 
you need at least 'tls_trust_file', and that is unfortunately different 
everywhere.


That's a very valid point and enough to make me redraw my proposal. :)

Thanks for all your work again!

--
ilf

Über 80 Millionen Deutsche benutzen keine Konsole. Klick dich nicht weg!
                -- Eine Initiative des Bundesamtes für Tastaturbenutzung



Attachment:
signature.asc

Description: Digital signature


------------------------------------------------------------------------------
Find and fix application performance issues faster with Applications Manager
Applications Manager provides deep performance insights into multiple tiers of
your business applications. It resolves application problems quickly and
reduces your MTTR. Get your free trial!
https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
_______________________________________________
msmtp-users mailing list
msmtp-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/msmtp-users






















					Reply via email to