search

zrm / snow

www.trustiosity.com/snow
Other
781 stars 28 forks source link

contact problem #3

Closed 0-8-15 closed 8 years ago

0-8-15 commented 9 years ago

it's not possible to send mail to the address published at the webpage

zrm commented 9 years ago

Try it now

0-8-15 commented 9 years ago

Nah, does not work:

Am 17.05.2015 um 02:10 schrieb zrm:

Try it now

               The mail system

zrm@trustiosity.com: host mx.trustiosity.com[54.186.28.113] said: 530 5.7.0 Must issue a STARTTLS command first (in reply to MAIL FROM command)

Reporting-MTA: dns; garkin.softeyes.net X-Postfix-Queue-ID: 3lqRTd1pyFzTJL X-Postfix-Sender: rfc822; Joerg.Wittenberger@softeyes.net Arrival-Date: Sun, 17 May 2015 16:59:49 +0200 (CEST)

Final-Recipient: rfc822; zrm@trustiosity.com Original-Recipient: rfc822;zrm@trustiosity.com Action: failed Status: 5.7.0 Remote-MTA: dns; mx.trustiosity.com Diagnostic-Code: smtp; 530 5.7.0 Must issue a STARTTLS command first

zrm commented 9 years ago

I see. My mail server is requiring TLS and yours isn't using it.

In theory requiring STARTTLS isn't allowed (because it causes exactly this), but most major email providers support it and not at least trying to use it is almost always by mistake. It means your mail server is sending all your email in cleartext even when the recipient's supports TLS.

You can fix this by configuring your email server to send STARTTLS (which it should really be doing regardless), or if you don't control that then you can send to trustiosity.zrm on gmail.

I'm going to leave this open to see if anyone else has the same issue, I'll change it to be less strict if it turns out nontrivially many people have mail servers that don't use STARTTLS.

0-8-15 commented 9 years ago

Am 17.05.2015 um 19:30 schrieb zrm:

I see. My mail server is requiring TLS and yours isn't using it.

In theory requiring STARTTLS isn't allowed (because it causes exactly this), but most major email providers support it and not at least trying to use it is almost always by mistake. It means your mail server is sending all your email in cleartext even when the recipient's supports TLS.

"major email providers" seems to be the culprit.

(Actually: I don't care so much about encryption+email. Why: there is IMHO no way to get that right. As soon as you have a single person having commercial interests, all privacy arguments are gone. "MAY it prevent me seeing an offer/option/business opportunity?" I can't promise "no", hence I have to re-enable plain text. In this case there is a self-employed truck driver. He can't care less about encryption. Plus: it's really a pain in the ass and mostly provides security theater

Whatever. I personally reject dependencies on CA's when it comes to encryption. Hence there are only self-signed certificates and certs signed by just the receiving peer.

At this point I read the postfix documentation to the point that I understand (maybe I'm wrong?) there is no chance to turn on starttls without a CA approved cert.

If that's correct, than I don't see much of an incentive to turn it on. Would cost money for little gain.

If that's wrong: please enlighten me.

You can fix this by configuring your email server to send STARTTLS (which it should really be doing regardless), or if you don't control that then you can send to trustiosity.zrm on gmail.

I'm going to leave this open to see if anyone else has the same issue, I'll change it to be less strict if it turns out nontrivially many people have mail servers that don't use STARTTLS.

I'm afraid you will never see this. I was just a bit too desperate to get snow working. If I had not had this problem, I had contacted you weeks before. My guess: most having the issue will just stop trying. (At least once they figured out that there is no big user base anyway.)

Thus is looks to me as if the starttls requirement is more akin to a DoS against snow than a helpful measurement.

Again: I'm guessing, I might be wrong.

Best

/Jörg

zrm commented 9 years ago

You don't need a certificate to use STARTTLS for outgoing mail. TLS client authentication is optional. It is also possible to use a self signed certificate for incoming mail.

You might find people saying you need a CA-signed certificate to use TLS, the theory being that without it you can't be authenticated, but worrying about that is a bit silly when an active attacker can trivially downgrade STARTTLS to plaintext. The primary benefit of TLS for email is not to thwart an active attacker with authentication, it's to thwart a passive attacker with encryption.

Interoperability is a different question. But the most interoperable option is to have a CA-signed certificate and use STARTTLS with fallback to plaintext. Most other mail servers won't explicitly reject mail from servers that don't use STARTTLS (or that have a self-signed certificate) but it's a common heuristic for spam filtering because most legitimate mail servers use TLS and most spammers don't, which leads to a similar result except that you don't even know when it happens.

And if your concern is cost, it is possible to get a CA-signed certificate from StartSSL for free. It is also likely that EFF's Let's Encrypt will begin supporting email in the not too distant future, at which point "apt-get install lets-encrypt" should be the end of it.

0-8-15 commented 9 years ago

A closer look into the postfix config reveals bad news to me: it looks as if it SHOULD do starttls. Leaves me wondering why it fails.

Am 19.05.2015 um 16:02 schrieb zrm:

You don't need a certificate to use STARTTLS for outgoing mail. TLS client authentication is optional. It is also possible to use a self signed certificate for incoming mail.

You might find people saying you need a CA-signed certificate to use TLS, the theory being that without it you can't be authenticated, but worrying about that is a bit silly when an active attacker can trivially downgrade STARTTLS to plaintext. The primary benefit of TLS for email is not to thwart an active attacker with authentication, it's to thwart a passive attacker with encryption.

Interoperability is a different question. But the most interoperable option is to have a CA-signed certificate and use STARTTLS with fallback to plaintext. Most other mail servers won't explicitly reject mail from servers that don't use STARTTLS (or that have a self-signed certificate) but it's a common heuristic for spam filtering because most legitimate mail servers use TLS and most spammers don't, which leads to a similar result except that you don't even know when it happens.

And if your concern is cost, it is possible to get a CA-signed certificate from StartSSL for free. It is also likely that EFF's Let's Encrypt will begin supporting email in the not too distant future, at which point "apt-get install lets-encrypt" should be the end of it.

Reply to this email directly or view it on GitHub: https://github.com/zrm/snow/issues/3#issuecomment-103507881

zrm commented 8 years ago

It appears that this has caused problems for multiple people and pragmatism has therefore won the day.