On Wed, Feb 11, 2015 at 10:55 PM, Ángel González wrote:
> Jeff Potter wrote:
> > (I don’t understand why Apple doesn't use SRV records — when you
> > enter an email address, they make an HTTPS connection to their
> > servers with the domain to see if they can auto-setup the results
> > for the us
Jeff Potter wrote:
> (I don’t understand why Apple doesn't use SRV records — when you
> enter an email address, they make an HTTPS connection to their
> servers with the domain to see if they can auto-setup the results
> for the user, but there’s no clear way to get into their system.
> I suppo
On 2/8/15 4:44 PM, Hanno Böck wrote:
> On Sun, 08 Feb 2015 16:39:17 -0500
> Justin Vallon wrote:
>
>> AUTH is only allowed under SSL. Mail can only be sent (relayed) after
>> AUTH. Therefore, if the MITM prevents the client from STARTTLS'ing,
>> the server will not allow mail to be sent. Unencr
On Sun, 08 Feb 2015 16:39:17 -0500
Justin Vallon wrote:
> AUTH is only allowed under SSL. Mail can only be sent (relayed) after
> AUTH. Therefore, if the MITM prevents the client from STARTTLS'ing,
> the server will not allow mail to be sent. Unencrypted mail will not
> be sent.
The attacker
On 2/8/15 4:25 PM, Hanno Böck wrote:
> On Sun, 08 Feb 2015 15:55:27 -0500
> Justin Vallon wrote:
>
>> I am on this list for courier-imap, but I use postfix for SMTP.
>> Postfix has an option to only allow auth over under SSL
>> (smtpd_tls_auth_only=yes # only allow auth under ssl).
>>
>> So, I bel
On Sun, 08 Feb 2015 15:55:27 -0500
Justin Vallon wrote:
> I am on this list for courier-imap, but I use postfix for SMTP.
> Postfix has an option to only allow auth over under SSL
> (smtpd_tls_auth_only=yes # only allow auth under ssl).
>
> So, I believe this can be enforced on the (Postfix) ser
On 2/7/15 8:51 AM, Hanno Böck wrote:
> On Sat, 7 Feb 2015 08:40:07 -0500
> Jeff Potter wrote:
>
>> 465 has the benefit that the STARTTLS keyword can’t be MITM stripped.
> That's kinda the thing: STARTTLS doesn't really make that much sense
> any more in a world where we essentially want to depreca
On Sun, Feb 8, 2015 at 3:09 PM, Sam Varshavchik
wrote:
>
>>
> That's true only if properly-signed SSL certificates are used. Since too
> many small to medium sized organizations (rightfully) don't feel like
> paying for a valid certificate for their mail server, too many mail servers
> end up usi
Alessandro Vesely writes:
While I 100% agree, I note that "starttls if available" is the only choice
for
a server that relays the message. Even if there's no password exchange in
that
case, encrypted SMTP enhances privacy. My understanding was that, if
massively
adopted, it would have sw
On Sat 07/Feb/2015 14:51:20 +0100 Hanno Böck wrote:
> On Sat, 7 Feb 2015 08:40:07 -0500 Jeff Potter wrote:
>
>> 465 has the benefit that the STARTTLS keyword can’t be MITM stripped.
>
> That's kinda the thing: STARTTLS doesn't really make that much sense
> any more in a world where we essentiall
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 08/02/15 01:29, Hanno Böck wrote:
> But not sure this is the right place to discuss it, hope we
> don't annoy others with offtopic discussions.
I'm sure there are quite a few of us interested in current best
practices. It's certainly a surprise to
On Sat, 7 Feb 2015 09:54:43 -0500
Jeff Potter wrote:
> I’d support such a project, but based on my experience with my users,
> the ones for whom it would help wouldn’t care about it or understand
> the need. I’ve started recommending to my clients to use port 465 by
> default.
I'm not talking ab
> It doesn't really do that, because MUAs will likely try ports 587 and 25 if
> 465 doesn't work.
> As a user, you need to specify that no fallback is acceptable.
> For instance, in Apple's Mail, the default in Mavericks is "Use default ports
> (25, 465, 587)" and "Use Secure Sockets Layer (SSL)
On Sat, Feb 7, 2015 at 3:54 PM, Jeff Potter
wrote:
>
> I’d support such a project, but based on my experience with my users, the
> ones for whom it would help wouldn’t care about it or understand the need.
> I’ve started recommending to my clients to use port 465 by default.
>
> Using port 465 in
I’d support such a project, but based on my experience with my users, the ones
for whom it would help wouldn’t care about it or understand the need. I’ve
started recommending to my clients to use port 465 by default.
Using port 465 instead of 587 “fixes” the STRIPSSL attack. I would believe
Ap
On Sat, 7 Feb 2015 08:40:07 -0500
Jeff Potter wrote:
> 465 has the benefit that the STARTTLS keyword can’t be MITM stripped.
That's kinda the thing: STARTTLS doesn't really make that much sense
any more in a world where we essentially want to deprecate
non-crypto-logins.
Mail settings with "sta
> Technically speaking, using port 465 for (authenticated) SMTP over SSL/TLS
> has been deprecated for a long, long time.
>
> Microsoft was long a lone holdout against standards, but recently, Apple and
> Google have joined them, and if you're running a mail service for some
> 4-digit number o
On Sat, Feb 7, 2015 at 6:16 AM, Lindsay Haisley
wrote:
> What's the current status of port recommendations for courier for SSL
> and TLS (STARTTLS)? It may be my legacy configuration, but SSLPORT=465
> in esmtpd-ssl here. Online resources are confusing about this, the
> _official_ IANA document
What's the current status of port recommendations for courier for SSL
and TLS (STARTTLS)? It may be my legacy configuration, but SSLPORT=465
in esmtpd-ssl here. Online resources are confusing about this, the
_official_ IANA document at
http://www.iana.org/assignments/service-names-port-numbers/se
19 matches
Mail list logo
