Bitcoin Forum
June 19, 2024, 02:42:12 AM *
News: Voting for pizza day contest
 
   Home   Help Search Login Register More  
Pages: [1]
  Print  
Author Topic: Opportunistic TLS and SMTP  (Read 271 times)
AliceWonderMiscreations (OP)
Full Member
***
Offline Offline

Activity: 182
Merit: 107


View Profile WWW
May 10, 2016, 08:01:54 AM
Last edit: May 10, 2016, 08:16:52 AM by AliceWonderMiscreations
 #1

It's no secret to most that SMTP is not secure.

The problem is with the MTA to MX stage of message delivery.

It uses opportunistic TLS which means the MTA after sending its HELO then - if the MTA supports TLS - it will send a STARTTLS command.

The receiving MX if it supports TLS will then respond with its certificate.

TLS is not required and a lot of MX servers don't even support it.

I wrote a php class that categorizes SMTP servers into 4 categories :

1) danetls
2) validtls
3) weaktls
4) insecuretls

For danetls, I determine if the host in the address is in a DNSSEC protected zone. If it is, I then look at the MX records. If they are in a DNSSEC protected zone, I look for a sane TLSA record for port 25. If it has one, then it is danetls and communicating with that domain will either be secure or won't happen.

For validtls, if it doesn't have DANE protection but responds with a valid certificate that matches the host name and is signed by a certificate authority I trust, it is validtls. It is still trivial to MITM though.

For weaktls, I am able to make a TLS connection but the certificate is either self-signed or hostname doesn't match (common with companies that outsource to google)

For insecuretls, I am unable to make a TLS connection. It may support TLS but if it does, it is protocols / cipher suites too old for me to communicate with.

Just running the test on about 30 domains that communicate with me -

https://deviant.email/tls_functions.php (output is plain text, sent as plain text)

Rather interesting.

I hereby reserve the right to sometimes be wrong
AliceWonderMiscreations (OP)
Full Member
***
Offline Offline

Activity: 182
Merit: 107


View Profile WWW
May 10, 2016, 08:08:51 AM
 #2

My results are probably biased, the number of danetls in those 30 do not reflect the adoption of dnssec or dane, but rather the kind of communication I tend to do tends to see the light.

I hereby reserve the right to sometimes be wrong
Pages: [1]
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!