[gentoo-dev] Infra support for mail submission with implicit TLS on port 465

[gentoo-dev] Infra support for mail submission with implicit TLS on port 465

[Michael Orlitzky]

There have been some attacks on STARTTLS lately, so I'm finally getting
around to using implicit TLS for mail submission on port 465.

I tried this on dev.gentoo.org, and it seems to work. For example: I
just switched Evolution to port 465, with always-on TLS, and am sending
this message.

Is this supported? I don't see it in the infra docs anywhere.

Re: [gentoo-dev] Infra support for mail submission with implicit TLS on port 465

[Hanno Böck]

On Sat, 14 Aug 2021 09:47:25 -0400
Michael Orlitzky <mjo@gentoo.org> wrote:

> There have been some attacks on STARTTLS lately, so I'm finally
> getting around to using implicit TLS for mail submission on port 465.

FWIW I am Co-author of the paper that documented these attacks, so in
case you have any questions I guess I can answer them.

> I tried this on dev.gentoo.org, and it seems to work. For example: I
> just switched Evolution to port 465, with always-on TLS, and am
> sending this message.
> 
> Is this supported? I don't see it in the infra docs anywhere.

I've been using 465 for a while and probably would've noted during our
research if Gentoo wouldn't support that.
I guess we can conclude that it works and we should probably mention it
in the docs.


-- 
Hanno Böck
https://hboeck.de/

Re: [gentoo-dev] Infra support for mail submission with implicit TLS on port 465

[Robin H. Johnson]

[-- Attachment #1: Type: text/plain, Size: 831 bytes --]

On Sat, Aug 14, 2021 at 05:15:54PM +0200, Hanno Böck wrote:
> FWIW I am Co-author of the paper that documented these attacks, so in
> case you have any questions I guess I can answer them.
Yes, I have a question: are you going to claim DJB's $500 qmail security
reward?

> > Is this supported? I don't see it in the infra docs anywhere.
> I've been using 465 for a while and probably would've noted during our
> research if Gentoo wouldn't support that.
> I guess we can conclude that it works and we should probably mention it
> in the docs.
Added to the docs now, thanks for pointing it out.

-- 
Robin Hugh Johnson
Gentoo Linux: Dev, Infra Lead, Foundation Treasurer
E-Mail   : robbat2@gentoo.org
GnuPG FP : 11ACBA4F 4778E3F6 E4EDF38E B27B944E 34884E85
GnuPG FP : 7D0B3CEB E9B85B1F 825BCECF EE05E6F6 A48F6136

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 1113 bytes --]

Re: [gentoo-dev] Infra support for mail submission with implicit TLS on port 465

[Rolf Eike Beer]

[-- Attachment #1: Type: text/plain, Size: 418 bytes --]

Am Dienstag, 17. August 2021, 00:23:26 CEST schrieb Robin H. Johnson:
> On Sat, Aug 14, 2021 at 05:15:54PM +0200, Hanno Böck wrote:
> > FWIW I am Co-author of the paper that documented these attacks, so in
> > case you have any questions I guess I can answer them.
> 
> Yes, I have a question: are you going to claim DJB's $500 qmail security
> reward?

That would be lame, as DJB did not implement STARTTLS.

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 195 bytes --]