Questions tagged [starttls]
22 questions
32
votes
2 answers
Why is STARTTLS used when it can be downgraded very easily?
People are making a big fuss about how you absolutely have to disable SSLv3 because TLS can be downgraded to SSLv3 and there is barely a server left on the internet that speaks SSLv3.
At the same time, almost every mail server out there will happily…
AndreKR
- 498
- 4
- 9
21
votes
5 answers
How can I verify that SSLv3 protocol is disabled?
I'm trying to disable SSLv3 in ejabberd 2.1.10 on Ubuntu 12.04. There is no way to disable it in config file, so I have to patch the source and rebuild the package: https://github.com/processone/ejabberd/issues/113
The problem is after patching and…
quanta
- 433
- 2
- 4
- 10
16
votes
2 answers
Perfectly secure Postfix MTA (SMTP) configuration
I want to secure my root server (further) service by service, starting with the SMTP service (Postfix MTA) as the most busy one. I the course of setting everything up, I read a lot about security and encryption and tried my best to gather the most…
08frak
- 303
- 1
- 2
- 7
10
votes
3 answers
Why enable SMTP STARTTLS if OpenSSL is dangerous?
There are a bunch of people in the anti-surveillance movement who are virtually demanding that I enable SMTP STARTTLS support in my environment, in order to enable opportunistic MTA-to-MTA encryption. The same anti-surveillance people are meanwhile…
ruief
- 883
- 4
- 11
8
votes
2 answers
Why are common services using implicit SSL not considered obsolete in the way that SMTPS is?
SMTPS (implicit SSL) has been deprecated/obsolete since SMTP+STARTTLS (explicit SSL) was defined in RFC2487. I'm not entirely clear on the reasoning behind that, but it was clearly considered a good idea at the time.
A parallel can be seen with IMAP…
Synchro
- 647
- 1
- 6
- 14
5
votes
2 answers
Does sending email with TLS help to not being flaged as spam?
Does sending email with TLS help to not being blocked or not being flagged as spam by recipient?
user4271704
- 153
- 1
- 4
4
votes
2 answers
What happens if STARTTLS dropped in SMTP?
SMTP uses STARTTLS extension to upgrade SMTP to SMTP Secure (STMPS). According the the RFC, the client and server starts TLS as follows:
S:
C:
S: 220 mail.imc.org SMTP service ready
…
user6875880
- 167
- 1
- 3
3
votes
3 answers
Must mail relays always indicate the use of encryption in the “Received:” header field?
When an email message is sent with transport encryption, you can tell it from the “Received:” field the receiving mail relay adds to the message header.
> Received: from [...].google.com ([...]) by
> [...].mail.protection.outlook.com ([...]) with…
ȷ̇c
- 174
- 6
2
votes
1 answer
Is traffic subsequent to a SASL/GSSAPI bind encrypted?
When making a SASL/GSSAPI bind to an LDAP server over port 389 (ldap:///), after the authentication is finished is the resulting LDAP traffic encrypted? If so, is there a document or RFC that describes this?
Assume that no STARTLS command is issued…
rlandster
- 363
- 1
- 2
- 7
2
votes
3 answers
What is the purpose of opportunistic TLS (like STARTTLS)?
Opportunistic TLS refers to extensions in plain text communication protocols, which offer a way to upgrade a plain text connection to an encrypted (TLS or SSL) connection instead of using a separate port for encrypted communication...
Source:…
Bob Ortiz
- 6,234
- 8
- 43
- 90
2
votes
1 answer
Can STARTTLS protect emails between two organisations?
There are a few threads on STARTTLS but none seem to provide a clear overview of what STARTTLS can and can not do with respect to encrypting email in transit.
So my question is, can STARTTLS be configured to secure email sent between two…
R15
- 2,923
- 1
- 11
- 21
2
votes
1 answer
Initial handshakes of attacks via client-initiated renegotiation
As far as I understand after reading this beautifully explained answer, MiTM data injection attacks via client-initiated renegotiation can only happens if the attacker is already in a connection with the server which did not check his credential. He…
nullgraph
- 197
- 9
1
vote
1 answer
Is my Postfix and Dovecot configuration secure?
Today I set up my first server with Dovecot and Postfix.
These are excerpts from the configuration files:
Dovecot:
disable_plaintext_auth = yes
ssl = required
ssl_prefer_server_ciphers = yes
ssl_cipher_list =…
Ben Richard
- 3,006
- 5
- 16
- 18
1
vote
3 answers
How to check if a mail server is Enforced-STARTLS rather than Opportunistic-STARTTLS?
This article tells us that there are two types of STARTTLS: Opportunistic (i.e. optional STARTTLS) STARTTLS and Enforced STARTTLS, which works by the doctrine of "Encrypted connection or drop connection".
We can use checktls.com/TestReceiver to…
user75058
- 11
- 2
1
vote
0 answers
Can EAP-TTLS provide the dual authentication I require?
What I want to do: Lock down the Tech Vlan so that only an approved device AND a user in the tech security group are allocated. I am hoping to achieve this via EAP-TTLS and Windows NPS whereby the machine provides the tunnel then the user…
Matt
- 111
- 2