Re: [mailop] Blog: Logjam, Openssl and Email Deliverability

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 For those of you that a) use sendmail and b) want to automatically fall back to plain text when talking to servers with short DH keys, Claus Assmann on comp.mail.sendmail posted a patch http://www.sendmail.org/%7Eca/email/patches/tls_failures.p1 to e

Re: [mailop] Blog: Logjam, Openssl and Email Deliverability

Hugo Slabbert wrote: > On Tue 2015-Jun-30 01:04:48 +0200, Michelle Sullivan > wrote: > >>> That said, so far today, only 0.015% of our outbound messages that >>> were over an encrypted link were using SSLv3. At our volume, that's >>> not nothing, unfortunately, but it's a pretty small amount to

Re: [mailop] Blog: Logjam, Openssl and Email Deliverability

Brandon Long wrote: > > > On Tue, Jun 30, 2015 at 8:12 AM, Hugo Slabbert > wrote: > > On Tue 2015-Jun-30 01:04:48 +0200, Michelle Sullivan > mailto:miche...@sorbs.net>> wrote: > > That said, so far today, only 0.015% of our outbound > m

Re: [mailop] Blog: Logjam, Openssl and Email Deliverability

On Tue 2015-Jun-30 01:04:48 +0200, Michelle Sullivan wrote: That said, so far today, only 0.015% of our outbound messages that were over an encrypted link were using SSLv3. At our volume, that's not nothing, unfortunately, but it's a pretty small amount to allow to continue to allow the poss

Re: [mailop] Blog: Logjam, Openssl and Email Deliverability

* on the Mon, Jun 29, 2015 at 06:15:09PM -0700, Carl Byington wrote: > dnssec/dane-smtp closes that loophole. > The receiver needs to care enough about closing that loophole to publish > a dnssec secured tlsa record for _25._tcp.mx-target-name, and the sender > needs to care enough about it to use

Re: [mailop] Blog: Logjam, Openssl and Email Deliverability

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Tue, 2015-06-30 at 01:04 +0200, Michelle Sullivan wrote: > just get someone to setup a server as the destination hop, accept > encrypted email (DH=4096 for good measure) then forward plain text dnssec/dane-smtp closes that loophole. The receiver

Re: [mailop] Blog: Logjam, Openssl and Email Deliverability

On Mon, Jun 29, 2015 at 4:04 PM, Michelle Sullivan wrote: > Brandon Long wrote: > > > > > > On Mon, Jun 29, 2015 at 1:48 PM, Michelle Sullivan > > wrote: > > > > > > Thoughts/comments welcome. > > > > > > Sure, there's a bit of political or privacy argument involve

Re: [mailop] Blog: Logjam, Openssl and Email Deliverability

29. Jun 2015 23:04 by miche...@sorbs.net: > Brandon Long wrote: > >> Inbound is 0.1% at SSLv3, 37% at TLSv1. > So +60% is unencrypted inbound... because it has to be or because it is > not forced otherwise... that is the burning question. You policy > Encrypted or nothing and it'll be interestin

Re: [mailop] Blog: Logjam, Openssl and Email Deliverability

Brandon Long wrote: > > > On Mon, Jun 29, 2015 at 1:48 PM, Michelle Sullivan > wrote: > > > Thoughts/comments welcome. > > > Sure, there's a bit of political or privacy argument involved here, > that some people think "why does this need to be encrypted". There > do

Re: [mailop] Blog: Logjam, Openssl and Email Deliverability

On Mon, Jun 29, 2015 at 1:48 PM, Michelle Sullivan wrote: > Brandon Long wrote: > > > > > > On Fri, Jun 26, 2015 at 7:03 PM, Michelle Sullivan > > wrote: > > > > > > > > Sure SMTP can have the lowest common denominator, but I thought the > > whole point of the

Re: [mailop] Blog: Logjam, Openssl and Email Deliverability

Brandon Long wrote: > > > On Fri, Jun 26, 2015 at 7:03 PM, Michelle Sullivan > wrote: > > > > Sure SMTP can have the lowest common denominator, but I thought the > whole point of the protocol and extensions was: > > 1/ You want to ensure the email is not read

Re: [mailop] Blog: Logjam, Openssl and Email Deliverability

On Fri, Jun 26, 2015 at 7:03 PM, Michelle Sullivan wrote: > Brandon Long wrote: > > > > I've considered an opposite DANE, where a server can know whether to > > refuse an unencrypted connection. One could imagine an extension to > > spf for example saying that only encrypted connections from the

Re: [mailop] Blog: Logjam, Openssl and Email Deliverability

>I've considered an opposite DANE, where a server can know whether to refuse >an unencrypted connection. There's a draft in DANE that more or less does this. See draft-ietf-dane-smtp-with-dane-19 (It's unrelated to the wacky PGP key stuff.) ___ m

Re: [mailop] Blog: Logjam, Openssl and Email Deliverability

27. Jun 2015 02:03 by miche...@sorbs.net: > 2/ You want to ensure credentials for SMTP-AUTH are not compromised you > SSL3/TLS/TLSv1.2,DH=4096 the connection > No SSLv3, please! http://disablessl3.com ___ mailop mailing list mailop@mailop.org http:/

Re: [mailop] Blog: Logjam, Openssl and Email Deliverability

Brandon Long wrote: > > I've considered an opposite DANE, where a server can know whether to > refuse an unencrypted connection. One could imagine an extension to > spf for example saying that only encrypted connections from these ips > are to be considered authed, or just abusing spf as for encry

Re: [mailop] Blog: Logjam, Openssl and Email Deliverability

I've considered an opposite DANE, where a server can know whether to refuse an unencrypted connection. One could imagine an extension to spf for example saying that only encrypted connections from these ips are to be considered authed, or just abusing spf as for encryption required as well. Spf is

Re: [mailop] Blog: Logjam, Openssl and Email Deliverability

Brandon Long wrote: > > > On Fri, Jun 26, 2015 at 11:53 AM, Carl Byington > wrote: > > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > On Thu, 2015-06-25 at 13:25 -0700, Brandon Long wrote: > > We haven't implemented it yet, though we expect to in t

Re: [mailop] Blog: Logjam, Openssl and Email Deliverability

On Fri, Jun 26, 2015 at 11:53 AM, Carl Byington wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > On Thu, 2015-06-25 at 13:25 -0700, Brandon Long wrote: > > We haven't implemented it yet, though we expect to in the near future. > > Does this mean that google will then refuse to deliver

Re: [mailop] Blog: Logjam, Openssl and Email Deliverability

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Thu, 2015-06-25 at 13:25 -0700, Brandon Long wrote: > We haven't implemented it yet, though we expect to in the near future. Does this mean that google will then refuse to deliver mail to sites that: 1) advertise starttls in response to ehlo, and

Re: [mailop] Blog: Logjam, Openssl and Email Deliverability

On Wed, Jun 24, 2015 at 02:06:43PM -0700, Carl Byington wrote: > > Does Exim (immediately or delayed) retry that connection and > (temporarily or permanently) ignore the offer of STARTTLS? Does anyone > know the behavior of Postfix or other software in this circumstance? > OpenSMTPD falls back t

Re: [mailop] Blog: Logjam, Openssl and Email Deliverability

On 2015-06-24 at 14:06 -0700, Carl Byington wrote: > Does Exim (immediately or delayed) retry that connection and > (temporarily or permanently) ignore the offer of STARTTLS? Depends upon the configuration. Assuming defaults, "yes". http://www.exim.org/exim-html-current/doc/html/spec_html/ch-enc

Re: [mailop] Blog: Logjam, Openssl and Email Deliverability

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Thu, 2015-06-25 at 00:09 +0100, Brandon Long wrote: > Not in front of a computer to check if we see failures like this, but > we (google) stopped falling back to unencrypted connections >2y ago. > This had an impact on a small number of misconfigur

Re: [mailop] Blog: Logjam, Openssl and Email Deliverability

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Tue, 2015-06-23 at 20:16 +, Phil Pennock wrote: > A key issue though is that by default, Exim will fall back to > unencrypted because encryption to MX is opportunistic. Sendmail as a client sends EHLO, receives an offer of STARTTLS, sends START

Re: [mailop] Blog: Logjam, Openssl and Email Deliverability

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Tue, 2015-06-23 at 12:27 -0500, Frank Bulk wrote: > Is there a public list of such weak domains/MXes? Well, I have a few from grepping my logs: mail.ritz.edu hawk.dcu.ie inbound30.exchangedefender.com smtp.raymondcorp.com smtp1.raymondcorp.com smt

Re: [mailop] Blog: Logjam, Openssl and Email Deliverability

On 2015-06-23 at 16:35 +0200, Johann Klasek wrote: > On Sat, Jun 20, 2015 at 11:33:00AM -0500, Frank Bulk wrote: > > http://www.circleid.com/posts/20150620_logjam_openssl_and_email_deliverabili > > ty/ > > > > FYI, just a heads up. > > OpenSSL now rejects handshakes using DH parameters shorter th

Re: [mailop] Blog: Logjam, Openssl and Email Deliverability

Is there a public list of such weak domains/MXes? Frank -Original Message- From: mailop [mailto:mailop-boun...@mailop.org] On Behalf Of Johann Klasek Sent: Tuesday, June 23, 2015 9:36 AM To: mailop@mailop.org Subject: Re: [mailop] Blog: Logjam, Openssl and Email Deliverability On Sat

Re: [mailop] Blog: Logjam, Openssl and Email Deliverability

On Sat, Jun 20, 2015 at 11:33:00AM -0500, Frank Bulk wrote: > http://www.circleid.com/posts/20150620_logjam_openssl_and_email_deliverabili > ty/ > > FYI, just a heads up. OpenSSL now rejects handshakes using DH parameters shorter than 768 bits as a countermeasure against the Logjam attack (CVE-20

[mailop] Blog: Logjam, Openssl and Email Deliverability

http://www.circleid.com/posts/20150620_logjam_openssl_and_email_deliverabili ty/ FYI, just a heads up. Frank ___ mailop mailing list mailop@mailop.org http://chilli.nosignal.org/mailman/listinfo/mailop