Re: [mailop] STARTTLS - Constant Contact and yahoo.co.jp

[Bryan Fields via mailop]

On 8/30/20 1:54 PM, Ángel via mailop wrote:
> Other offenders include nanog, 

Have you mentioned this to the nanog admins?  I'm sure there's some interest
in that.

-- 
Bryan Fields

727-409-1194 - Voice
http://bryanfields.net

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] STARTTLS - Constant Contact and yahoo.co.jp

[Ángel via mailop]

On 2020-08-27 at 12:25 +1200, Mark Foster via mailop wrote:
> I think the option of forcing TLS within a closed community is fine.
> I think the option of forcing TLS on the wide-wide-internet is a
> minefield for anyone who needs to communicate outside of a relatively
> closed network...

while on this topic, it would be nice if mailop mailing list started
using starttls when delivering the list emails.

Other offenders include nanog, ca/browser forum, moderncrypto.org,
several gpg mailing lists... ☹


And STARTTLS *sending* is much easier than receiving, where you at
least need a dumb certificate. Let's not start discussion on requiring
CA-signed certificates, TLS ≥ 1.2 or MTA-STS.


Interestingly, some of those servers, while not using starttls
themselves, do support it for receiving (apparently being handled by
the same host). So just a matter of (mis)configuration (?)


Maybe it's time to add a milter which automatically prepends to every
message not sent with starttls: «WARNING: This message was
NOT transmitted securely given the lack of support of example.com mail
server. It may have been seen, copied and modified in-transit in an
undetectable way.»


Cheers


___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] STARTTLS - Constant Contact and yahoo.co.jp

[Mark Foster via mailop]

I think the option of forcing TLS within a closed community is fine. 

I think the option of forcing TLS on the wide-wide-internet is a
minefield for anyone who needs to communicate outside of a relatively
closed network... because Email supports fall-back-to-plain-text by
design, and it's hard to mandate that someone else adhere to an ideal
standard if they, at the end of the day, 'don't have to'. 

Or to put it another way, I have to work on the assumption that when it
leaves my controlled domain, it could wind up transiting a plain-text
communications link. Opportunistic TLS covers >99% of my email, but I
have to plan for the 1%.  There's no assurance. 

Until there is, because literally everyone can be assumed to have it. 

It might be a better win to start by using TLS transit as a spam scoring
mechanism... reduce the priority or deliverability of email that
originates from a non-TLS platform.. consequences that aren't the same
as a black-and-white refusal might be enough to compel a change in
behavior. 

Email for me is still a fundamentally untrusted information exchange
medium, if I have a real requirement for security i'm going to have to
add layers on top.  And because of that, I can officially 'not care'
about a failure to support STARTTLS, because I always assume that'll
probably be the case at some stage anyway. 

Regards,
Mark. 

On 2020-08-27 08:33, Scott Mutter via mailop wrote:

> Well, I really just wanted to see what the rest of the community was doing in 
> regards to this.  Seems the resounding answer is a "prefer TLS, but don't 
> disqualify if no TLS" or "opportunistic" TLS. 
> 
> However, experience has also taught me, if you don't force people to make 
> changes then they're not going to change.  In regards to that, maybe this 
> never becomes an issue.  But if the point is to go all TLS all the time, 
> you're going to have to publicly shame those that are dragging their feet or 
> just cut off communication with them entirely.  Maybe some of the 
> administrators to these mail servers don't realize that their mail servers 
> aren't handling STARTTLS and bringing awareness to that (in the form of their 
> users not receiving all of their emails) is a way to light a fire under them. 
> 
> I just wanted to gauge what other mail server administrators were doing in 
> regards to this.  The response is kind of what i expected, but the shift in 
> wanting TLS and encryption on every connection, kind of made me question what 
> the response would be. 
> 
> On Wed, Aug 26, 2020 at 3:02 PM Michael Orlitzky via mailop 
>  wrote: 
> 
>> On 2020-08-26 12:50, Scott Mutter via mailop wrote:
>>> I've been toying with the idea of forcing outbound SMTP connections to
>>> use TLS, but thought I'd take a quick look and see who might miss mail
>>> if this done. 
>> 
>> This sounds good at first but if you make a flow chart, all paths lead
>> to either "nothing changes" or "shoot yourself in the foot." There's no
>> scenario that I know of where forcing TLS (as opposed to "opportunistic"
>> TLS) improves anything.
>> 
>> ___
>> mailop mailing list
>> mailop@mailop.org
>> https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
> 
> ___
> mailop mailing list
> mailop@mailop.org
> https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] STARTTLS - Constant Contact and yahoo.co.jp

[Tim Bray via mailop]

On 26/08/2020 21:33, Scott Mutter via mailop wrote:
I just wanted to gauge what other mail server administrators were 
doing in regards to this.  The response is kind of what i expected, 
but the shift in wanting TLS and encryption on every connection, kind 
of made me question what the response would be.


My mail admin is for a small corporate.

I did some work last year and at the start of this year to look at the 
mix of TLS favours and not TLS we get.


Majority of email using TLS1.2 or better.

We did find 3 or 4 regular customers and suppliers stuck with TLSv1.   
Usually onsite MS exchange servers.   We had a chat and they all 
upgraded pretty sharpish.  (not sure what their IT support people have 
been doing for the past many years)


Inbound, almost everything useful has some kind of TLS. Exceptions are a 
mailinglist a few people are subscribed to.


Outbound, less so.

I decided we would miss out on orders and enquiries if we mandated 
TLS1.2.   We publish MTA-STS.


I did wonder whether I could look at changing inbound subjects to 
`insecure` for email delivered with less than TLSv1.2


I'm not sure how much effort I want to put into contacting all our 
customers to tell them to sort their stuff out



My advice for everybody is to pop over to https://internet.nl/ and test 
your email domains. And your friends, customers, people you deal with.


Then test an inbound email at https://ssl-tools.net/mailservers

https://www.hardenize.com/ is pretty good as well.


--
Tim Bray
Huddersfield, GB
t...@kooky.org


___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] STARTTLS - Constant Contact and yahoo.co.jp

[Scott Mutter via mailop]

Well, I really just wanted to see what the rest of the community was doing
in regards to this.  Seems the resounding answer is a "prefer TLS, but
don't disqualify if no TLS" or "opportunistic" TLS.

However, experience has also taught me, if you don't force people to make
changes then they're not going to change.  In regards to that, maybe this
never becomes an issue.  But if the point is to go all TLS all the time,
you're going to have to publicly shame those that are dragging their feet
or just cut off communication with them entirely.  Maybe some of the
administrators to these mail servers don't realize that their mail servers
aren't handling STARTTLS and bringing awareness to that (in the form of
their users not receiving all of their emails) is a way to light a fire
under them.

I just wanted to gauge what other mail server administrators were doing in
regards to this.  The response is kind of what i expected, but the shift in
wanting TLS and encryption on every connection, kind of made me question
what the response would be.

On Wed, Aug 26, 2020 at 3:02 PM Michael Orlitzky via mailop <
mailop@mailop.org> wrote:

> On 2020-08-26 12:50, Scott Mutter via mailop wrote:
> > I've been toying with the idea of forcing outbound SMTP connections to
> > use TLS, but thought I'd take a quick look and see who might miss mail
> > if this done.
>
> This sounds good at first but if you make a flow chart, all paths lead
> to either "nothing changes" or "shoot yourself in the foot." There's no
> scenario that I know of where forcing TLS (as opposed to "opportunistic"
> TLS) improves anything.
>
> ___
> mailop mailing list
> mailop@mailop.org
> https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
>
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] STARTTLS - Constant Contact and yahoo.co.jp

[Liam Fisher via mailop]

Agreed - this is the road to escalations and suffering.



On 8/26/2020 4:02 PM, Michael Orlitzky via mailop wrote:

On 2020-08-26 12:50, Scott Mutter via mailop wrote:

I've been toying with the idea of forcing outbound SMTP connections to
use TLS, but thought I'd take a quick look and see who might miss mail
if this done.

This sounds good at first but if you make a flow chart, all paths lead
to either "nothing changes" or "shoot yourself in the foot." There's no
scenario that I know of where forcing TLS (as opposed to "opportunistic"
TLS) improves anything.

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop


___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] STARTTLS - Constant Contact and yahoo.co.jp

[Michael Orlitzky via mailop]

On 2020-08-26 12:50, Scott Mutter via mailop wrote:
> I've been toying with the idea of forcing outbound SMTP connections to
> use TLS, but thought I'd take a quick look and see who might miss mail
> if this done. 

This sounds good at first but if you make a flow chart, all paths lead
to either "nothing changes" or "shoot yourself in the foot." There's no
scenario that I know of where forcing TLS (as opposed to "opportunistic"
TLS) improves anything.

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] STARTTLS - Constant Contact and yahoo.co.jp

[Jaroslaw Rafa via mailop]

Dnia 26.08.2020 o godz. 11:50:01 Scott Mutter via mailop pisze:
> I should note, forcing TLS is different from preferring TLS.  I think a lot
> of MTAs (at least Exim, I think?) prefer TLS and will attempt to negotiate
> a STARTTLS session, but if that fails, then it will continue without TLS.

This is called "opportunistic TLS" and is currently default setting in pretty
much all MTAs. Should not be changed to mandatory TLS, because - as you
already noticed - there are still receiving servers that don't support TLS,
and you may lose mail deliverability if you use mandatory TLS on sending.
-- 
Regards,
   Jaroslaw Rafa
   r...@rafa.eu.org
--
"In a million years, when kids go to school, they're gonna know: once there
was a Hushpuppy, and she lived with her daddy in the Bathtub."

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] STARTTLS - Constant Contact and yahoo.co.jp

[Bill Cole via mailop]

On 26 Aug 2020, at 12:50, Scott Mutter via mailop wrote:

How many mail operators out there are forcing outbound SMTP 
communications

to use TLS?  Is this a common practice now?


It is very uncommon.


I know secure everything and
TLS everywhere is a popular movement at this moment.


It certainly gets a lot of talk...

I've noticed that Constant Contact (constantcontact.com - at least the 
mail
server at 205.207.104.108) and yahoo.co.jp (67.195.204.74) don't 
appear to

be accepting STARTTLS.  Is that strange?


Strange, but only because they are relatively big names. There's still a 
lot of insecurity in the long tail.


[...]

I've been toying with the idea of forcing outbound SMTP connections to 
use
TLS, but thought I'd take a quick look and see who might miss mail if 
this
done.  It looks like most mail servers handle TLS, I haven't extended 
this
test to a lot of servers yet so it may just be that the mail servers I 
have

enacted this on are small volume senders.


You can get away with it if you do not have substantial volume and 
diversity in where you send mail to.


For example, it has been >6 months since my personal mail server has 
sent out a message not using TLS. However, that's just a couple hundred 
messages sent to a few dozen distinct mail systems. One of the systems I 
help administer handles about that volume daily, with about the same 
diversity, but it send in the clear multiple times per day because of a 
handful of specific business relationships between our customers and 
companies that happen to run shoddy mail systems. To this day there are 
still mail servers sitting behind firewalls that break TLS (e.g. 
PIX/ASA.)


I should note, forcing TLS is different from preferring TLS.  I think 
a lot
of MTAs (at least Exim, I think?) prefer TLS and will attempt to 
negotiate
a STARTTLS session, but if that fails, then it will continue without 
TLS.
By forcing TLS, I'm telling my server to close the connection if a 
STARTTLS
session can't be started.  Are any other mail server admins doing 
this?  Or

is it still too early to require this?


Too early for any mail system with diverse users who have normal service 
level expectations, unless you carefully examine  your actual mail 
stream and determine that none of your users routinely send mail to 
companies using poorly-administered mail servers or Cisco firewalls.



--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not For Hire (currently)

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] STARTTLS - Constant Contact and yahoo.co.jp

[Michael Peddemors via mailop]

Too early yet.. (to enforce globally)

But start selectively forcing it for the bigger players known to support 
this..




On 2020-08-26 9:50 a.m., Scott Mutter via mailop wrote:
How many mail operators out there are forcing outbound SMTP 
communications to use TLS?  Is this a common practice now?  I know 
secure everything and TLS everywhere is a popular movement at this moment.


I've noticed that Constant Contact (constantcontact.com 
 - at least the mail server 
at 205.207.104.108) and yahoo.co.jp  (67.195.204.74) 
don't appear to be accepting STARTTLS.  Is that strange?


yahoo.com  appears to handle STARTTLS but yahoo.co.jp 
 does not.  There may be other country/region 
specific Yahoo domains that don't.


I'm just wondering if that is common.  Perhaps the administrators of 
these mail servers are unaware of this?  Constant Contact - whose 
primary purpose would seem to be to insure mail delivering - not 
accepting STARTTLS seems extremely strange.


I've been toying with the idea of forcing outbound SMTP connections to 
use TLS, but thought I'd take a quick look and see who might miss mail 
if this done.  It looks like most mail servers handle TLS, I haven't 
extended this test to a lot of servers yet so it may just be that the 
mail servers I have enacted this on are small volume senders.


I should note, forcing TLS is different from preferring TLS.  I think a 
lot of MTAs (at least Exim, I think?) prefer TLS and will attempt to 
negotiate a STARTTLS session, but if that fails, then it will continue 
without TLS.  By forcing TLS, I'm telling my server to close the 
connection if a STARTTLS session can't be started.  Are any other mail 
server admins doing this?  Or is it still too early to require this?


___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop





--
"Catch the Magic of Linux..."

Michael Peddemors, President/CEO LinuxMagic Inc.
Visit us at http://www.linuxmagic.com @linuxmagic
A Wizard IT Company - For More Info http://www.wizard.ca
"LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd.

604-682-0300 Beautiful British Columbia, Canada

This email and any electronic data contained are confidential and intended
solely for the use of the individual or entity to which they are addressed.
Please note that any views or opinions presented in this email are solely
those of the author and are not intended to represent those of the company.

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] STARTTLS - Constant Contact and yahoo.co.jp

[Anthony Purcell via mailop]

Constant Contact sends mail. Not sure how that relates to their receiving 
practices. Have you looked into MTA-STS? It does not fulfill your desire, but 
gets you a lot closer. Log data should give you an idea of how much breakage 
you can expect with forcing TLS.


Thanks,


> On Aug 26, 2020, at 9:50 AM, Scott Mutter via mailop  
> wrote:
> 
> How many mail operators out there are forcing outbound SMTP communications to 
> use TLS?  Is this a common practice now?  I know secure everything and TLS 
> everywhere is a popular movement at this moment.
> 
> I've noticed that Constant Contact (constantcontact.com 
>  - at least the mail server at 205.207.104.108) 
> and yahoo.co.jp  (67.195.204.74) don't appear to be 
> accepting STARTTLS.  Is that strange?
> 
> yahoo.com  appears to handle STARTTLS but yahoo.co.jp 
>  does not.  There may be other country/region specific 
> Yahoo domains that don't.
> 
> I'm just wondering if that is common.  Perhaps the administrators of these 
> mail servers are unaware of this?  Constant Contact - whose primary purpose 
> would seem to be to insure mail delivering - not accepting STARTTLS seems 
> extremely strange.
> 
> I've been toying with the idea of forcing outbound SMTP connections to use 
> TLS, but thought I'd take a quick look and see who might miss mail if this 
> done.  It looks like most mail servers handle TLS, I haven't extended this 
> test to a lot of servers yet so it may just be that the mail servers I have 
> enacted this on are small volume senders.
> 
> I should note, forcing TLS is different from preferring TLS.  I think a lot 
> of MTAs (at least Exim, I think?) prefer TLS and will attempt to negotiate a 
> STARTTLS session, but if that fails, then it will continue without TLS.  By 
> forcing TLS, I'm telling my server to close the connection if a STARTTLS 
> session can't be started.  Are any other mail server admins doing this?  Or 
> is it still too early to require this?
> ___
> mailop mailing list
> mailop@mailop.org
> https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

[mailop] STARTTLS - Constant Contact and yahoo.co.jp

[Scott Mutter via mailop]

How many mail operators out there are forcing outbound SMTP communications
to use TLS?  Is this a common practice now?  I know secure everything and
TLS everywhere is a popular movement at this moment.

I've noticed that Constant Contact (constantcontact.com - at least the mail
server at 205.207.104.108) and yahoo.co.jp (67.195.204.74) don't appear to
be accepting STARTTLS.  Is that strange?

yahoo.com appears to handle STARTTLS but yahoo.co.jp does not.  There may
be other country/region specific Yahoo domains that don't.

I'm just wondering if that is common.  Perhaps the administrators of these
mail servers are unaware of this?  Constant Contact - whose primary purpose
would seem to be to insure mail delivering - not accepting STARTTLS seems
extremely strange.

I've been toying with the idea of forcing outbound SMTP connections to use
TLS, but thought I'd take a quick look and see who might miss mail if this
done.  It looks like most mail servers handle TLS, I haven't extended this
test to a lot of servers yet so it may just be that the mail servers I have
enacted this on are small volume senders.

I should note, forcing TLS is different from preferring TLS.  I think a lot
of MTAs (at least Exim, I think?) prefer TLS and will attempt to negotiate
a STARTTLS session, but if that fails, then it will continue without TLS.
By forcing TLS, I'm telling my server to close the connection if a STARTTLS
session can't be started.  Are any other mail server admins doing this?  Or
is it still too early to require this?
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop