On Thu, 25 May 2017 03:02:39 -0400 Rick Leir <rl...@leirtech.com> wrote:
> > > On 2017-05-25 02:31 AM, Philip Paeps wrote: > > On 2017-05-24 14:54:34 (+0200), Bastian Blank > > <bastian+postfix-users=postfix....@waldi.eu.org> wrote: > >> On Wed, May 24, 2017 at 02:41:01AM -0700, li...@lazygranch.com > >> wrote: > >>> You shouldn't be accepting sslv3 due to the poodle attack. > >>> https://en.m.wikipedia.org/wiki/POODLE > >> > >> Please explain how exactly SMTP is exploitable using POODLE? > > > > There are other good reasons to disable SSLv3. But POODLE is a > > distraction in the context of SMTP. > In the context of a SASL login to send outgoing email, is it still a > distraction? > > How about dovecot, logging in to receive email and clean up my inbox? > > As recommended by lazyG, > > http://disablessl3.com/ > > > > > In general though, when it comes to SMTP, any encryption is better > > than none. And opportunistic encryption is the way to go. Read > > RFC 7435: > > > > https://tools.ietf.org/html/rfc7435 > Thanks! > > > > Philip > > > This paper is a good read on email security. It goes into the various means that a man in the middle can reduce security, one of which is enabled by selecting opportunistic encryption. (Of which in all practicality you don't have a choice if you want maximum compatibility. I'm amazed at the lack of encryption in first world countries like Canada or the UK.) "Neither Snow Nor Rain Nor MITM . . . An Empirical Analysis of Email Delivery Security" https://jhalderm.com/pub/papers/mail-imc15.pdf Video by one of the authors. https://www.youtube.com/watch?v=_aogXeTbERs Given the email issues in recent political campaigns, I'm seeing a number of articles suggesting setting up DMARC for quarantine. Most recent: http://www.prnewswire.com/news-releases/bishop-fox-research-finds-98-of-the-top-million-internet-domains-are-potentially-vulnerable-to-email-spoofing-300461861.html Specifically "First, companies must safeguard their company's domain by checking the company's DNS records for SPF and DMARC. Make sure that the company's domain has a properly configured SPF record and a DMARC record with a policy of quarantine or reject. Then, use Spoofcheck to check if the domain is sufficiently protected." Where http://spoofcheck.bishopfox.com/#!/ isn't exactly rocket science. It just reads your DMARC.