Hi, I wanted to share some research we have done on vulnerabilities in STARTTLS implementations: https://nostarttls.secvuln.info/
We started analyzing STARTTLS implementations in E-Mail servers and clients based on the 2011 command injection discovered in Postfix. We learned that this vulnerability is still very prevalent in current servers and that clients suffer from simliar vulnerabilities. We also found some IMAP specific vulnerabilities. Focussing on client-to-server communication our recommendations are mostly in line with what this working group has already concluded in RFC 8314, which is that implicit TLS on its own port should be preferred over STARTTLS. Our research has not focussed on the server-to-server part. Still I think particularly the buffering / injection vulnerabilities are a concern if one wants to secure s2s communication with mechanisms like MTA-STS. I strongly recommend that users of MTA-STS audit their STARTTLS implementations for buffering bugs. (We found a buffering bug in Yahoo's MX servers, and Yahoo is one of the companies driving MTA-STS. I was unable to report this properly to Yahoo, I reported it through their Hackerone bugbounty program, but the bug triagers were unwilling to try to understand the issue and didn't forward it to Yahoo.) -- Hanno Böck https://hboeck.de/ _______________________________________________ Uta mailing list Uta@ietf.org https://www.ietf.org/mailman/listinfo/uta
