t and justified opinions on what
to consider "good" and "best" practices on this matter.
Regards,
Per Thorsheim
Den 23.04.2014 16:35, skrev Viktor Dukhovni:
> On Wed, Apr 23, 2014 at 04:21:14PM +0200, Per Thorsheim wrote:
> It seems to me as if mailadmins prefer supporting "everything",
> since anything is better than plaintext.
> Correct. This is called "opportunistic TLS&quo
d over SSLv2, ANON suites and expired
certificates.
One of our goals with starttls.info was to aid in the global deployment
of STARTTLS, another goal was to improve the minimum level used by
anyone deploying STARTTLS. That is until Viktors IETF proposal, or
anything similar, reaches broad adoption on the
mes I like to believe for myself that it
just might made a positive difference to some. It will continue to
operate, and I hope we'll be able to expand it to do additional checks
of configurations such as those proposed by you.
Best regards,
Per Thorsheim
Den 20.05.2014 15:56, skrev Viktor D
https://datatracker.ietf.org/doc/draft-ietf-dane-smtp-with-dane/
"In WG Last Call"
Any estimate on when this might become final Viktor?
After Google named & shamed Comcast for not having starttls, many
well-known services are now establishing RFC 3207 starttls support.
Additionally people are bec
Den 16.06.2014 17:18, skrev Viktor Dukhovni:
> On Mon, Jun 16, 2014 at 10:12:03AM +0200, Per Thorsheim wrote:
>
>> https://datatracker.ietf.org/doc/draft-ietf-dane-smtp-with-dane/
>> "In WG Last Call"
>>
>> Any estimate on when this might become final V
Den 17.06.2014 20:59, skrev Viktor Dukhovni:
> Thanks for fighting the good fight. In the mean-time, any chance
> you could stop fix the misleading TLS support scores starttls.info
> issues to soundly configured MTAs?
>
> * For SMTP, self-signed certificates are as good as CA issued
> ce
27;ll make references to this
and DANE TLS in my talk at the DEFCON Crypto & Privacy Village. I'm very
happy to see that these issues are gaining a lot of attention these days.
Viktor: Is the IEEE meeting done yet? Any status update for DANE TLS?
BR,
Per Thorsheim
Den 29.07.2014 16:14, skrev Viktor Dukhovni:
> On Tue, Jul 29, 2014 at 03:57:24PM +0200, Per Thorsheim wrote:
>
>> I don't know if this list is aware of this project?
>>
>> https://github.com/EFForg/starttls-everywhere
>
> The EFF folks behind this effo
Den 21.03.2016 18.47, skrev Viktor Dukhovni:
>
>> On Mar 21, 2016, at 12:18 PM, David Schweikert wrote:
>>
>> I wonder what the Postfix community thinks or plans to do according to
>> this standard that is being written:
>> https://datatracker.ietf.org/doc/draft-margolis-smtp-sts/?include_text=1
ally any other ideas or experiences with using SHA-256
certificates that have caused problems for STARTTLS, or ex. appliances
that doesn't support it?
I already know that Cisco Ironport and Barracuda appliances only
supports up to and including TLSv1, haven't found any info there for
SHA-
Den 02.10.2014 14:38, skrev Wietse Venema:
> Per Thorsheim:
>> Mozilla and others have reported on old web clients that doesn't support
>> the use of new SHA-256 signed SSL certificates on websites. In a recent
>> thread at Mozilla
>> https://bugzilla.mozill
r any other
info on the configuration & reasoning behind their selective choices?
I just assume that a whole lot of mail must be sent in plain due to
their very narrow approach?
Regards,
Per Thorsheim
Den 05.01.2015 18:59, skrev li...@rhsoft.net:
>
> Am 05.01.2015 um 18:47 schrieb Viktor Dukhovni:
>> On Mon, Jan 05, 2015 at 06:01:03PM +0100, DTNX Postmaster wrote:
>>
With RC4-SHA early enough for the 11-year old Microsoft Exchange
servers.
>>>
>>> Sadly, older Exchange servers (2003 a
s to read here, but short question is;
how will this eventually impact future deployment of of SMTP security
via opportunistic DANE TLS?
Best regards,
Per Thorsheim
According to Twitter.com/einaros, the https://starttls.info/ database
shows 43266 distinct SMTP servers (~12%) supports RSA Export suites, re:
#FREAK attack.
I wonder what percentages would look like for pop/imap servers.
Best regards,
Per Thorsheim
Cannot find a simple process guide for configuring DANE TLSA support &
publish relevant DNSSEC signed information. Anyone got a complete guide
from start to finish?
BR,
Per
of scrolling to get to relevant
> information but I hope it helps
>
> https://ripe68.ripe.net/presentations/253-DANEs_don%27t_lie-20140512.pdf
>
>
> On 02/06/2015 9:35 am, Per Thorsheim wrote:
>> Cannot find a simple process guide for configuring DANE TLSA support &
&g
587 without breaking RFCs, "best
practices", or cryptographers ability to sleep well.
BR,
Per Thorsheim
If using IP addresses in SPF records, is it necessary to specify both
IPv4 & IPv6 addresses? Is there currently a risk of unwanted problems if
only IPv4 (or only IPv6) addresses are specified, when a mailserver is
available using both 4 & 6?
--
Best regards,
Per Thorsheim
Twitter: @thorsheim
Den 02.01.2017 16.41, skrev A. Schulze:
>
> Am 02.01.2017 um 14:18 schrieb Sebastian Nielsen:
>> OFC you must specify both unless you have completely disabled sending of
>> outgoing mail via IPv6.
>
> I think, that's wrong
>
> One may publish records like "v=spf1 a -all" for a host mail.example
Den 12/04/2019 17:09, skrev Scott Kitterman:
On Friday, April 12, 2019 10:46:50 AM micah anderson wrote:
The site https://hardenize.com provides relatively decent Email reports,
along with other reports. It checks a number of things including certs,
MTA-STS, TLS-RPT, DANE, SPF, DMARC, and then a
22 matches
Mail list logo
