Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: exim: users

Should MX offer TLS ?

  

 
First page Previous page 1 2 Next page Last page  View All exim users RSS feed   Index | Next | Previous | View Threaded


chris at eng

Nov 6, 2007, 4:12 PM

Post #1 of 29 (1790 views)
Permalink
Should MX offer TLS ?
Hi,

Many sites now have an elegant setup where submission happens on port
465/587, where both TLS and AUTH are mandatory. Port 25 is used for
MTA->MTA traffic, hence no need for AUTH on port 25.

However I'm noticing many such sites with the above setup who don't offer
TLS on port 25 of the MX servers. Is there a particular reason for this ?

OK, for MTA->MTA traffic, there's normally no check of a certificate, so
no defence against man-in-the-middle attacks. But at least you get
"opportunistic encryption" of incoming mail, whereby the traffic is
scrambled over the wire, defending against a passive eavesdropper.

Any obvious pitfalls in supporting TLS on port 25 of the MX servers ?
Are folk just turning it off to save CPU ?

Thanks for any clue.

Chris

--
Chris Edwards, Glasgow University Computing Service

--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/


brent at servuhome

Nov 6, 2007, 4:50 PM

Post #2 of 29 (1757 views)
Permalink
Re: Should MX offer TLS ? [In reply to]
Quoting Chris Edwards <chris [at] eng>:

> Hi,
>
> Many sites now have an elegant setup where submission happens on port
> 465/587, where both TLS and AUTH are mandatory. Port 25 is used for
> MTA->MTA traffic, hence no need for AUTH on port 25.
>
> However I'm noticing many such sites with the above setup who don't offer
> TLS on port 25 of the MX servers. Is there a particular reason for this ?
>
> OK, for MTA->MTA traffic, there's normally no check of a certificate, so
> no defence against man-in-the-middle attacks. But at least you get
> "opportunistic encryption" of incoming mail, whereby the traffic is
> scrambled over the wire, defending against a passive eavesdropper.
>
> Any obvious pitfalls in supporting TLS on port 25 of the MX servers ?
> Are folk just turning it off to save CPU ?
>
> Thanks for any clue.
>
> Chris
>
> --
> Chris Edwards, Glasgow University Computing Service
>
> --
> ## List details at http://lists.exim.org/mailman/listinfo/exim-users
> ## Exim details at http://www.exim.org/
> ## Please use the Wiki with this list - http://wiki.exim.org/
>


TLS can add a bit of overhead, true. But there is also the fact that
many MTA's don't advertise/use TLS by default on port 25 (Exchange
comes to mind).
It could be argued that there aren't expectations of privacy or
security with e-mail, that why would you send sensitive data when
there are more suitable protocols for secure data transmission.
There is nothing inherently wrong with advertising TLS on port 25
though, should the other server negotiate with you to use it.

Regards,

Brent Jones
brent [at] servuhome [dot] net



----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.


--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/


dean at iglou

Nov 6, 2007, 5:09 PM

Post #3 of 29 (1764 views)
Permalink
Re: Should MX offer TLS ? [In reply to]
On Wed, Nov 07, 2007 at 12:12:48AM +0000, Chris Edwards wrote:

> However I'm noticing many such sites with the above setup who don't offer
> TLS on port 25 of the MX servers. Is there a particular reason for this ?
>
> Any obvious pitfalls in supporting TLS on port 25 of the MX servers ?
> Are folk just turning it off to save CPU ?

I think most MTA operators, including myself, use TLS only for
the encryption of SMTP auth password information. The fact that the
message payload is also encrypted for submission agents is just a bonus.

There really isn't any advantage to encrypting MX submissions. Most
messages have spent much of their life unencrypted the entire way
anyway, so encrypting just one leg gains you *no* level of security.

CPU considerations are also there, sure. But mostly, I try and
avoid SSL in any application except where necessary. Debugging
certificate problems is already a chore. I can't imagine trying
to resolve the myriad of encryption issues that would arise with
thousands of TLS connections per hour from all over the world.

As such, I use "hosts_avoid_tls = *" on all my remote SMTP transports
for outbound traffic, and I have set "tls_advertise_hosts" global
option to only advertise if the incoming port is 587 or if customer
is submitting to one of our special submission-only addresses.

--
Dean Brooks
dean [at] iglou

--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/


chris at eng

Nov 6, 2007, 5:36 PM

Post #4 of 29 (1755 views)
Permalink
Re: Should MX offer TLS ? [In reply to]
On Tue, 6 Nov 2007, Dean Brooks wrote:

| I think most MTA operators, including myself, use TLS only for the
| encryption of SMTP auth password information. The fact that the message
| payload is also encrypted for submission agents is just a bonus.

Makes sense. But then it can be argued the bad guy only needs EITHER the
password OR the data. If he can sniff the content itself on the wire,
then why bother trying to protect the password ?


| There really isn't any advantage to encrypting MX submissions. Most
| messages have spent much of their life unencrypted the entire way

OK.


| I can't imagine trying to resolve the myriad of encryption issues that
| would arise with thousands of TLS connections per hour from all over the
| world.

Right. This was just the sort of response I'm looking for. I'm also
interested to know to what extent this is a problem in practice. How do
sites who *do* do TLS over the Internet (with no certificate checks) get
on ? Are there many obscure problems encountered ?

Thanks

--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/


exim at inode

Nov 6, 2007, 6:29 PM

Post #5 of 29 (1758 views)
Permalink
Re: Should MX offer TLS ? [In reply to]
Chris Edwards wrote:
> Makes sense. But then it can be argued the bad guy only needs EITHER
> the password OR the data. If he can sniff the content itself on the
> wire, then why bother trying to protect the password ?

So he/she can't relay via my servers using the sniffed user/pass ...

> How do sites who *do* do TLS over the Internet (with no certificate
> checks) get on ? Are there many obscure problems encountered ?

Hmm, I remember some problems with misconfigured MTAs that advertised
TLS, but then weren't able to provide it. The responsible admins blamed
us that we weren't able to send mails to them, because other servers
could send them mail... *sigh* There were quite a lot of them, so I
started using "hosts_avoid_tls = *" too.
After some time of running a medium / large mail site you start avoiding
problems wherever you can, because *lots* of the mailservers out there
are administered by people who really don't know what they're doing.

lg,
daniel

--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/


exim-users at lists

Nov 7, 2007, 2:25 AM

Post #6 of 29 (1763 views)
Permalink
Re: Should MX offer TLS ? [In reply to]
Chris Edwards wrote:

> Many sites now have an elegant setup where submission happens on port
> 465/587, where both TLS and AUTH are mandatory. Port 25 is used for
> MTA->MTA traffic, hence no need for AUTH on port 25.
>
> However I'm noticing many such sites with the above setup who don't offer
> TLS on port 25 of the MX servers. Is there a particular reason for this ?
>
> OK, for MTA->MTA traffic, there's normally no check of a certificate, so
> no defence against man-in-the-middle attacks. But at least you get
> "opportunistic encryption" of incoming mail, whereby the traffic is
> scrambled over the wire, defending against a passive eavesdropper.
>
> Any obvious pitfalls in supporting TLS on port 25 of the MX servers ?
> Are folk just turning it off to save CPU ?

I advertise TLS on my non submission ports here for a very different
reason to those stated. I treat hosts that look like real mail servers
differently. TLS is a very good indicator that the connecting host is a
real mail server; not just another trojaned machine. I don't greylist
real mail servers.

MikeC2

--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/


dean at iglou

Nov 7, 2007, 7:22 AM

Post #7 of 29 (1764 views)
Permalink
Re: Should MX offer TLS ? [In reply to]
On Wed, Nov 07, 2007 at 10:25:10AM +0000, Mike Cardwell wrote:
> Chris Edwards wrote:
>
> > However I'm noticing many such sites with the above setup who don't offer
> > TLS on port 25 of the MX servers. Is there a particular reason for this ?
> >
> > Any obvious pitfalls in supporting TLS on port 25 of the MX servers ?
> > Are folk just turning it off to save CPU ?
>
> I advertise TLS on my non submission ports here for a very different
> reason to those stated. I treat hosts that look like real mail servers
> differently. TLS is a very good indicator that the connecting host is a
> real mail server; not just another trojaned machine. I don't greylist
> real mail servers.

I guess it depends on your view. In my experience, an MTA that sends
to MX with TLS is one that is probably not managed by someone with
very much experience and would more likely be a potential source of
trouble.

--
Dean Brooks
dean [at] iglou

--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/


john.robinson at anonymous

Nov 7, 2007, 7:54 AM

Post #8 of 29 (1760 views)
Permalink
Re: Should MX offer TLS ? [In reply to]
On 07/11/2007 15:22, Dean Brooks wrote:
> I guess it depends on your view. In my experience, an MTA that sends
> to MX with TLS is one that is probably not managed by someone with
> very much experience and would more likely be a potential source of
> trouble.

I'm surprised to hear that. I'd have thought that sending to MX with
TLS, offering a real certificate, would be a good way of saying "yes I
really am who I say I am". Now if one could say in one's SPF records "I
have a real cert" we'd be a long way towards sender authentication,
wouldn't we?

Cheers,

John.


--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/


exim-users at lists

Nov 7, 2007, 7:59 AM

Post #9 of 29 (1750 views)
Permalink
Re: Should MX offer TLS ? [In reply to]
Dean Brooks wrote:

>>> However I'm noticing many such sites with the above setup who don't offer
>>> TLS on port 25 of the MX servers. Is there a particular reason for this ?
>>>
>>> Any obvious pitfalls in supporting TLS on port 25 of the MX servers ?
>>> Are folk just turning it off to save CPU ?
>> I advertise TLS on my non submission ports here for a very different
>> reason to those stated. I treat hosts that look like real mail servers
>> differently. TLS is a very good indicator that the connecting host is a
>> real mail server; not just another trojaned machine. I don't greylist
>> real mail servers.
>
> I guess it depends on your view. In my experience, an MTA that sends
> to MX with TLS is one that is probably not managed by someone with
> very much experience and would more likely be a potential source of
> trouble.

I fail to see any connection between a mail server sending over TLS, and
the experience of the admin of the server. I also fail to see the
usefulness of making that connection. It's not something you could ever
filter on.

MikeC2

--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/


exim-users-20070913 at djce

Nov 7, 2007, 8:08 AM

Post #10 of 29 (1759 views)
Permalink
Re: Should MX offer TLS ? [In reply to]
On Wed, Nov 07, 2007 at 03:59:25PM +0000, Mike Cardwell wrote:
> I fail to see any connection between a mail server sending over TLS, and
> the experience of the admin of the server. I also fail to see the
> usefulness of making that connection. It's not something you could ever
> filter on.

Sure you can.

deny
condition = ${if !eq {$tls_cipher}{}}
message = Only criminals use encryption

;-)

--
Dave Evans
http://djce.org.uk/
http://djce.org.uk/pgpkey
Attachments: signature.asc (0.18 KB)


dean at iglou

Nov 7, 2007, 8:32 AM

Post #11 of 29 (1752 views)
Permalink
Re: Should MX offer TLS ? [In reply to]
On Wed, Nov 07, 2007 at 03:59:25PM +0000, Mike Cardwell wrote:
> Dean Brooks wrote:
>
> >>> Any obvious pitfalls in supporting TLS on port 25 of the MX servers ?
> >>> Are folk just turning it off to save CPU ?
> >> I advertise TLS on my non submission ports here for a very different
> >> reason to those stated. I treat hosts that look like real mail servers
> >> differently. TLS is a very good indicator that the connecting host is a
> >> real mail server; not just another trojaned machine. I don't greylist
> >> real mail servers.
> >
> > I guess it depends on your view. In my experience, an MTA that sends
> > to MX with TLS is one that is probably not managed by someone with
> > very much experience and would more likely be a potential source of
> > trouble.
>
> I fail to see any connection between a mail server sending over TLS, and
> the experience of the admin of the server. I also fail to see the
> usefulness of making that connection. It's not something you could ever
> filter on.

Because it indicates the admin of that mail server probably didn't
intentionally enable TLS for remote connections and just used the
server defaults. There are quite a number of servers out there
that inexplicibably insist on using TLS if advertised for MX
deliveries.

True, you wouldn't filter on it. I agree. My reply was simply stating
that one also shouldn't *whitelist* based upon it either.

--
Dean Brooks
dean [at] iglou

--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/


wbh at conducive

Nov 7, 2007, 8:32 AM

Post #12 of 29 (1754 views)
Permalink
Re: Should MX offer TLS ? [In reply to]
Dave Evans wrote:
> On Wed, Nov 07, 2007 at 03:59:25PM +0000, Mike Cardwell wrote:
>> I fail to see any connection between a mail server sending over TLS, and
>> the experience of the admin of the server. I also fail to see the
>> usefulness of making that connection. It's not something you could ever
>> filter on.
>
> Sure you can.
>
> deny
> condition = ${if !eq {$tls_cipher}{}}
> message = Only criminals use encryption
>
> ;-)
>
>

I *think* he meant '..ever filter on and stay in the business of transferring
maessages reliably'.

Another poster's remark about 'real cert' doesn't apply either - these are
nearly always self-generated, self-signed, and not checked against a CA, public
OR private at either end.

Requiring matching PEM certs - as for a corporate intranet - is a different
application.

Spealing of which - TLS for submisson, TLS for POP/IMAP, and TLS for MX - MX
does give nearly end-to-end protection between/among corporate servers.

Providing they - and the MUA boxen, have at least some level of physical
security. Better than nothing, anyway.

Not much help for off-net correspondents, of course.

Bill


--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/


dean at iglou

Nov 7, 2007, 8:36 AM

Post #13 of 29 (1763 views)
Permalink
Re: Should MX offer TLS ? [In reply to]
On Wed, Nov 07, 2007 at 03:54:42PM +0000, John Robinson wrote:
> On 07/11/2007 15:22, Dean Brooks wrote:
> > I guess it depends on your view. In my experience, an MTA that sends
> > to MX with TLS is one that is probably not managed by someone with
> > very much experience and would more likely be a potential source of
> > trouble.
>
> I'm surprised to hear that. I'd have thought that sending to MX with
> TLS, offering a real certificate, would be a good way of saying "yes I
> really am who I say I am". Now if one could say in one's SPF records "I
> have a real cert" we'd be a long way towards sender authentication,
> wouldn't we?

Problem is, you don't have to have a CA authority sign your TLS
certificate. Anyone can self sign and TLS will accept it. All the
TLS SSL cert does is open the door to encryption.

DomainKeys is closer to that idea though.

--
Dean Brooks
dean [at] iglou


--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/


bryan.rawlins at onlymyemail

Nov 7, 2007, 8:52 AM

Post #14 of 29 (1759 views)
Permalink
Re: Should MX offer TLS ? [In reply to]
Dean Brooks wrote:
> On Wed, Nov 07, 2007 at 03:59:25PM +0000, Mike Cardwell wrote:
>
>> Dean Brooks wrote:
>>
>>
>>>>> Any obvious pitfalls in supporting TLS on port 25 of the MX servers ?
>>>>> Are folk just turning it off to save CPU ?
>>>>>
>>>> I advertise TLS on my non submission ports here for a very different
>>>> reason to those stated. I treat hosts that look like real mail servers
>>>> differently. TLS is a very good indicator that the connecting host is a
>>>> real mail server; not just another trojaned machine. I don't greylist
>>>> real mail servers.
>>>>
>>> I guess it depends on your view. In my experience, an MTA that sends
>>> to MX with TLS is one that is probably not managed by someone with
>>> very much experience and would more likely be a potential source of
>>> trouble.
>>>
>> I fail to see any connection between a mail server sending over TLS, and
>> the experience of the admin of the server. I also fail to see the
>> usefulness of making that connection. It's not something you could ever
>> filter on.
>>
>
> Because it indicates the admin of that mail server probably didn't
> intentionally enable TLS for remote connections and just used the
> server defaults. There are quite a number of servers out there
> that inexplicibably insist on using TLS if advertised for MX
> deliveries.
>
> True, you wouldn't filter on it. I agree. My reply was simply stating
> that one also shouldn't *whitelist* based upon it either.
>
>

This has me curious, I'm going to try and compute a probability that a
messages is/is not spam based on if the sending server uses TLS.
Probablities will be calculated based on results of our existing filters
and will not be influenced by the data collected.

I'll post results to the list after approximately 24 hours.

Bryan Rawlins
Systems Administrator
OnlyMyEmail, Inc.

--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/


exim-users at lists

Nov 7, 2007, 9:03 AM

Post #15 of 29 (1755 views)
Permalink
Re: Should MX offer TLS ? [In reply to]
Bryan Rawlins wrote:

>>> I fail to see any connection between a mail server sending over TLS, and
>>> the experience of the admin of the server. I also fail to see the
>>> usefulness of making that connection. It's not something you could ever
>>> filter on.
>>>
>> Because it indicates the admin of that mail server probably didn't
>> intentionally enable TLS for remote connections and just used the
>> server defaults. There are quite a number of servers out there
>> that inexplicibably insist on using TLS if advertised for MX
>> deliveries.
>>
>> True, you wouldn't filter on it. I agree. My reply was simply stating
>> that one also shouldn't *whitelist* based upon it either.
>
> This has me curious, I'm going to try and compute a probability that a
> messages is/is not spam based on if the sending server uses TLS.
> Probablities will be calculated based on results of our existing filters
> and will not be influenced by the data collected.
>
> I'll post results to the list after approximately 24 hours.

I'd be very interested to see those results. But just to restate my
original position, the only assumption I'm making is:

If the SMTP connection uses TLS, the connecting host is *very*
probably, not an exploited machine with a pump and dump program
running on it.

I still use spamassassin and clamav and rbls etc, regardless of the
presence of TLS. There's just no point applying greylisting if it's present.

Mike

--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/


iane at sussex

Nov 7, 2007, 9:07 AM

Post #16 of 29 (1769 views)
Permalink
Re: Should MX offer TLS ? [In reply to]
--On 6 November 2007 20:09:05 -0500 Dean Brooks <dean [at] iglou> wrote:

>
> As such, I use "hosts_avoid_tls = *" on all my remote SMTP transports
> for outbound traffic, and I have set "tls_advertise_hosts" global
> option to only advertise if the incoming port is 587 or if customer
> is submitting to one of our special submission-only addresses.

Likewise. In fact, we separate our MX and MSA IP addresses. We require TLS
and smtp auth on port 25 and 587 on the MSA addresses - except for some IP
addresses on campus. It's sensible to allow people to use port 25, since
some don't know how to use 587. However, we advise everyone to use 587.

We offer TLS on the MX address, for those that wish to use it, though we
recognise that the security benefits are marginal.

We won't accept MAIL FROM our domains on the MX addresses unless TLS and
smtp auth are used, or a message header indicates that the message was
originally submitted through our servers. This ensures that our "internal"
email is virtually spam free.

--
Ian Eiloart
IT Services, University of Sussex
x3148

--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/


john.robinson at anonymous

Nov 7, 2007, 9:14 AM

Post #17 of 29 (1752 views)
Permalink
Re: Should MX offer TLS ? [In reply to]
On 07/11/2007 16:36, Dean Brooks wrote:
> On Wed, Nov 07, 2007 at 03:54:42PM +0000, John Robinson wrote:
>> [...] I'd have thought that sending to MX with
>> TLS, offering a real certificate, would be a good way of saying "yes I
>> really am who I say I am". Now if one could say in one's SPF records "I
>> have a real cert" we'd be a long way towards sender authentication,
>> wouldn't we?
>
> Problem is, you don't have to have a CA authority sign your TLS
> certificate. Anyone can self sign and TLS will accept it.

Unless the recipient were to decide he liked CA-signed certs. This is
what I'm angling towards.

> DomainKeys is closer to that idea though.

I know, but SSL/TLS with CA-signed certs are well-understood and already
well-supported in MTAs (including exim, of course). Why not use them for
sender authentication? I know nobody does but what's the rationale in
favour of DKIM et al over my suggestion?

Cheers,

John.


--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/


wbh at conducive

Nov 7, 2007, 9:30 AM

Post #18 of 29 (1756 views)
Permalink
Re: Should MX offer TLS ? [In reply to]
John Robinson wrote:
> On 07/11/2007 16:36, Dean Brooks wrote:
>> On Wed, Nov 07, 2007 at 03:54:42PM +0000, John Robinson wrote:
>>> [...] I'd have thought that sending to MX with
>>> TLS, offering a real certificate, would be a good way of saying "yes I
>>> really am who I say I am". Now if one could say in one's SPF records "I
>>> have a real cert" we'd be a long way towards sender authentication,
>>> wouldn't we?
>> Problem is, you don't have to have a CA authority sign your TLS
>> certificate. Anyone can self sign and TLS will accept it.
>
> Unless the recipient were to decide he liked CA-signed certs. This is
> what I'm angling towards.
>
>> DomainKeys is closer to that idea though.
>
> I know, but SSL/TLS with CA-signed certs are well-understood and already
> well-supported in MTAs (including exim, of course). Why not use them for
> sender authentication? I know nobody does but what's the rationale in
> favour of DKIM et al over my suggestion?
>
> Cheers,
>
> John.
>
>

That's an easy one.

Most of the public CA's are whores. Verisign at the head of the line.
They'll sell a cert to anyone.

Pull all the CA's from a browser and suddenly notice that ads.doubleclick.net
and a zillion others have been using publically signed certs off the brower's
default CA set to quietly slip under your filters for years.

Not that I think DKIM is worth a Massachusetts, either...

If I could only have ONE tool - it's lack of a PTR RR.

Fortunately, we have many tools.

Bill



--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/


chris at eng

Nov 7, 2007, 9:55 AM

Post #19 of 29 (1754 views)
Permalink
Re: Should MX offer TLS ? [In reply to]
Daniel Tiefnig wrote:

| Chris Edwards wrote:
| > Makes sense. But then it can be argued the bad guy only needs EITHER
| > the password OR the data. If he can sniff the content itself on the
| > wire, then why bother trying to protect the password ?
|
| So he/she can't relay via my servers using the sniffed user/pass ...

OK, right. I guess it's also often true that submission will happen over
an easy-to-sniff link (public wireless, cybercafe, hotel)

whereas, by contrast, the MTA->MTA traffic is normally over hard-to-sniff
networks comprising the core of the Internet.


Bill Hacker wrote:

| TLS for submisson, TLS for POP/IMAP, and TLS for MX - MX does give
| nearly end-to-end protection between/among corporate servers.

Ye, this is precisely we were thinking - hence my asking this question.
It seems like we can get MTA->MTA encryption (albeit without authentication)
for "almost" free. But if folk running large sites are suggesting
caution, then we will heed that advice.

( with around 30,000 users I guess we're a small/medium site )

I wonder if this will be less painful in a couple of years.

--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/


jwblist3 at olympus

Nov 7, 2007, 5:02 PM

Post #20 of 29 (1759 views)
Permalink
Re: Should MX offer TLS ? [In reply to]
On 11/6/07 5:36 PM, "Chris Edwards" <chris [at] eng> wrote:

> Right. This was just the sort of response I'm looking for. I'm also
> interested to know to what extent this is a problem in practice. How do
> sites who *do* do TLS over the Internet (with no certificate checks) get
> on ? Are there many obscure problems encountered ?

We got tired of interpreting logs and figuring out what MTAs had to be
exempted from TLS because they do it wrong. So we exempted them all.

--John



--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/


bryan.rawlins at onlymyemail

Nov 8, 2007, 8:36 AM

Post #21 of 29 (1744 views)
Permalink
Re: Should MX offer TLS ? [In reply to]
Bryan Rawlins wrote:
> This has me curious, I'm going to try and compute a probability that a
> messages is/is not spam based on if the sending server uses TLS.
> Probablities will be calculated based on results of our existing filters
> and will not be influenced by the data collected.
>
> I'll post results to the list after approximately 24 hours.
>
Here's the results of around 23 hours worth of data.

Some things to keep in mind:
Over this time period we estimate 70%+ of our volume was rejected at the
firewall/SMTP conversation level and thus is NOT factored into these
numbers. (We don't track the 'low hanging fruit')

Not all mail judged by the system is then used as feedback, so these
numbers aren't a good indicator of absolute volume, but should be
statistically accurate.

Our filtering engine is proprietary, written fully in-house, so results
with other systems may vary.

Total:
122383 Spam
32594 Ham

No TLS/SSL:
122383 Spam
27057 Ham

TLS/SSL:
1064 Spam
5537 Ham

My $0.02, It appears to be a useful as an indicator to influence an
overall score (eg. spammassassin), but as with many other things it
doesn't appear to be good for making an absolute decision based on just
this information.

As an aside I also tracked what cipher was being used, albeit for a
shorter period of time.

Totals:
948 Spam
4525 Ham

sslv3:aes256-sha:256
23 Spam
39 Ham

tlsv1:aes256-sha:256
871 Spam
3781 Ham

tlsv1:des-cbc3-sha:168
33 Spam
273 Ham

tlsv1:aes128-sha:128
1 Spam
9 Ham

tlsv1:rc4-sha:128
14 Spam
160 Ham

sslv3:des-cbc3-sha:168
0 Spam
7 Ham

tlsv1:rc4-md5:128
6 Spam
244 Ham

sslv3:rc4-md5:128
0 Spam
12 Ham


Bryan Rawlins
Systems Administrator
OnlyMyEmail, Inc.




--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/


richard at highwayman

Nov 8, 2007, 10:52 AM

Post #22 of 29 (1732 views)
Permalink
Re: Should MX offer TLS ? [In reply to]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

In message <47333B13.7070401 [at] onlymyemail>, Bryan Rawlins <bryan.rawl
ins [at] onlymyemail> writes

>Total:
>122383 Spam
>32594 Ham
>
>No TLS/SSL:
>122383 Spam
>27057 Ham
>
>TLS/SSL:
>1064 Spam
>5537 Ham
>
>My $0.02, It appears to be a useful as an indicator to influence an
>overall score (eg. spammassassin), but as with many other things it
>doesn't appear to be good for making an absolute decision based on just
>this information.

I suspect you are mainly measuring the performance of filters (or of
mitigation of compromised hosts) at other ISP's sites.

viz: the email doesn't originate at the machine that is using TLS, but
one hop further back.

>sslv3:aes256-sha:256
>23 Spam
>39 Ham

hence the variation between the ciphers, you're now picking out very
small numbers of senders and measuring their performance at not sending
you spam from their customers.

- --
richard Richard Clayton

They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety. Benjamin Franklin

-----BEGIN PGP SIGNATURE-----
Version: PGPsdk version 1.7.1

iQA/AwUBRzNa/ZoAxkTY1oPiEQKmdACaAwyT37kXJ1xV2wa+TMAv3H+rM/YAn0bM
mLOBuoHv8iGxBzxGsyctDDnS
=lv2r
-----END PGP SIGNATURE-----

--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/


w at wrzask

Nov 9, 2007, 10:42 AM

Post #23 of 29 (1741 views)
Permalink
Re: Should MX offer TLS ? [In reply to]
On Wed, Nov 07, 2007 at 03:29:06AM +0100, Daniel Tiefnig wrote:
>
> > How do sites who *do* do TLS over the Internet (with no certificate
> > checks) get on ? Are there many obscure problems encountered ?
>
> Hmm, I remember some problems with misconfigured MTAs that advertised
> TLS, but then weren't able to provide it. The responsible admins blamed
> us that we weren't able to send mails to them, because other servers
> could send them mail... *sigh* There were quite a lot of them, so I
> started using "hosts_avoid_tls = *" too.

There is "tls_tempfail_tryclear" setting, which will make Exim jump back
to non-encryption after STARTTLS returns 4xx or TLS/SSL negotiation
fails in some way. From my experience, it works just fine.

--
Jan Srzednicki :: http://wrzask.pl/
"Remember, remember, the fifth of November"
-- V for Vendetta


--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/


chris at eng

Nov 9, 2007, 11:50 AM

Post #24 of 29 (1740 views)
Permalink
Re: Should MX offer TLS ? [In reply to]
On Fri, 9 Nov 2007, Jan Srzednicki wrote:

| There is "tls_tempfail_tryclear" setting, which will make Exim jump back
| to non-encryption after STARTTLS returns 4xx or TLS/SSL negotiation
| fails in some way. From my experience, it works just fine.

Good point. That may help for (some) outbound situations.

But you don't have the same control for inbound. Either you advertise
STARTTLS on your MX, or you don't.

--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/


renaud at llorien

Nov 9, 2007, 12:18 PM

Post #25 of 29 (1743 views)
Permalink
Re: Should MX offer TLS ? [In reply to]
Chris Edwards wrote:
> On Fri, 9 Nov 2007, Jan Srzednicki wrote:
>
> | There is "tls_tempfail_tryclear" setting, which will make Exim jump back
> | to non-encryption after STARTTLS returns 4xx or TLS/SSL negotiation
> | fails in some way. From my experience, it works just fine.
>
> Good point. That may help for (some) outbound situations.
>
> But you don't have the same control for inbound. Either you advertise
> STARTTLS on your MX, or you don't.
>

This setting defaults to true anyway, so exim does this by default.
Attachments: smime.p7s (3.21 KB)

First page Previous page 1 2 Next page Last page  View All exim users RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.