dslreports logo
 
    All Forums Hot Topics Gallery
spc
uniqs
8
« Good...which is why »
This is a sub-selection from How secure...

caedmon
@67.1.141.x

caedmon to battleop

Anon

to battleop

Re: How secure...

quote:
If I want to read your email is it worth the effort to break into your VPN to catch it between you and your mail server or is it easier to go else where and catch your email traffic between mail servers?
Hence the need for encrypted email. If I encrypt my email then I do not need a secure channel to get it to you since it will be encrypted end-to-end. Of course you may attack the endpoints and get to the message before encryption or when the recipient is reading the message.

battleop
join:2005-09-28
00000

battleop

Member

It's really to late to do universal server-server encryption. There are thousands of different mail servers out there. It would be nearly impossible to get everyone to agree on a standard and then implement it.
ptb42
join:2002-09-30
USA

ptb42

Member

said by battleop:

It would be nearly impossible to get everyone to agree on a standard and then implement it.

The standard already exists (SMTP TLS). And all the modern mail transfer agents (sendmail, Postfix, etc.) already support it.

All you have to do is enable it. When another MTA connects to your mail server, it will ask if you support TLS, and negotiates the connection if you do.

Look in the headers of a random email message in your inbox, and you may find something like this:

Received: from xxx.example.com ([123.345.789.000])
by mx.google.com with ESMTPS id asdfsdfsfsjkldf.2014.05.16.10.56.47
for battleop@gmail.com
(version=TLSv1.1 cipher=ECDHE-RSA-RC4-SHA bits=128/128);
Fri, 16 May 2014 10:56:48 -0700 (PDT)


If the sender's email server supports TLS and sends to a Google email server, it will be encrypted. It's been that way for a while.

battleop
join:2005-09-28
00000

battleop

Member

I didn't realize it was universally accepted now. I've not done full time email server admin in about 5-6 years and at that time running TLS on some mail servers would cause strange delivery problems.

TuxRaiderPen2
Make America Great Again
join:2009-09-19

TuxRaiderPen2 to ptb42

Member

to ptb42
said by ptb42:
All you have to do is enable it. When another MTA connects to your mail server, it will ask if you support TLS, and negotiates the connection if you do.
Ahhh..but there is the rub... FEW actually ENABLE IT. Trust me... I've had tons of howling over this...it is widely DISABLED.

We refuse any non secure email now.. too bad... it is either sent on a secure connetion or go away!
ptb42
join:2002-09-30
USA

ptb42

Member

said by TuxRaiderPen2:

Ahhh..but there is the rub... FEW actually ENABLE IT. Trust me... I've had tons of howling over this...it is widely DISABLED.

I already showed how Google Mail has SMTP TLS enabled.

And here, you can see how sending email from a Yahoo account to a Gmail account uses TLS:

Received: from nm31.bullet.mail.ne1.yahoo.com (nm31.bullet.mail.ne1.yahoo.com. [98.138.229.24])
by mx.google.com with ESMTPS id asdfasff.21.2014.05.16.14.19.56
for TuxRaiderPen@gmail.com
(version=TLSv1 cipher=RC4-SHA bits=128/128);
Fri, 16 May 2014 14:19:56 -0700 (PDT)

I am sure a lot of smaller mail servers haven't bothered to enable TLS. But, the big email providers, accounting for a very large portion of email address, have enabled TLS.

NormanS
I gave her time to steal my mind away
MVM
join:2001-02-14
San Jose, CA
TP-Link TD-8616
Asus RT-AC66U B1
Netgear FR114P

NormanS

MVM

said by ptb42:

I am sure a lot of smaller mail servers haven't bothered to enable TLS. But, the big email providers, accounting for a very large portion of email address, have enabled TLS.

Probably among the smallest ISPs in the U.S.:
Received: from [192.168.102.222] (reki.aosake.net [173.228.7.217])
        (authenticated bits=0)
        by d.mail.sonic.net (8.14.4/8.14.4) with ESMTP id s3K2BnPK031067
        (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT)
        for <**********@pacbell.net>; Sat, 19 Apr 2014 19:11:50 -0700
 

Almost certainly the largest:
Received: from FamilyPC ([24.20.126.137])
        by omta12.emeryville.ca.mail.comcast.net with comcast
        id ALxH1n00D57wvhC8YLxHpy; Sun, 05 Jan 2014 20:57:18 +0000
 

I need to find out if my Comcast correspondent is using SSL, because I thought Comcast allowed it.
ptb42
join:2002-09-30
USA

ptb42

Member


Received: from FamilyPC ([24.20.126.137])
by omta12.emeryville.ca.mail.comcast.net with comcast
id ALxH1n00D57wvhC8YLxHpy; Sun, 05 Jan 2014 20:57:18 +0000

This looks like the initial submission of a message from a PC mail client to Comcast's mail server. If they haven't configured their mail client to use SSL/TLS, it won't do so -- even if Comcast supports it.

As a consequence, they may also be exposing their account password, if Comcast requires it when accepting email from a customer.

I use Mozilla Thunderbird. It configures itself to use SSL by default, at least when connecting to Google Mail. I believe that Outlook Express supports it, but I don't think it's by default.

NormanS
I gave her time to steal my mind away
MVM
join:2001-02-14
San Jose, CA
TP-Link TD-8616
Asus RT-AC66U B1
Netgear FR114P

NormanS

MVM

said by ptb42:

I use Mozilla Thunderbird. It configures itself to use SSL by default, at least when connecting to Google Mail. I believe that Outlook Express supports it, but I don't think it's by default.

I am pretty sure the client has to be configured to use SSL; even T-Bird. I notice that the recent versions will automagically set up SSL for most of the "well-known" services; but I have to use the "manual override" to set up AT&T (Yahoo!) and my ISP accounts.

My Comcast correspondent is using MS Outlook 14.0; and probably defaulting to port 25.
« Good...which is why »
This is a sub-selection from How secure...