nanog mailing list archives
Re: Blocking MX query
From: Mark Andrews <marka () isc org>
Date: Wed, 05 Sep 2012 13:22:28 +1000
In message <CAAAwwbXMXhS+8w2CV90b8x9XJ0omvhTmWDY+WMyCPw6GiWfZMQ () mail gmail com>, Jimmy Hess writes:
On 9/4/12, Mark Andrews <marka () isc org> wrote:In message <CAArzuost70Yq=KfXHXZSOV+ptg6apiDzm71=FhCS+Ty_yo5OAA () mail gmail com>, Suresh Ramasubramanian writes: STARTTLS from anywhere to anywhere is possible today and is not vulnerable to interception except in the MX's themselves. You can secure the MX records (and their absense) and secure the CERTs used by STARTTLS.You can also use SMTPS on port 465; or STARTTLS on port 587. Most MX servers don't support TLS or SSL, so it could be privacy neutral, and many MX server operators utilize dynamic host RBLs, even if STARTTLS connections are allowed. It is possible for end user to tunnel SMTP traffic over VPN, SSL, or SSH to a private submit server on a trusted network.
You missed the point. It *is* a privacy problem if my ISP can see the "MAIL TO: <user () example net>". It is *unreasonable* to expect everyone to run their own submission server to avoid this privacy problem. Most MX's don't *currently* support STARTTLS because until recently it was difficult to prevent various MiM interception attacks and you had to pay for CERTs. Both of these reasons are in the process of going away. You can prevent MiM on MX records by using DNSSEC. You can generate and publish your own CERT records using DANE.
Blocking initial outgoing TCP SYN for port 25 completely creates a predictable failure scenario. which is to be encouraged.
Only if you don't care for user privacy. There is way to much data collection already. -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka () isc org
Current thread:
- Re: Blocking MX query, (continued)
- Re: Blocking MX query Suresh Ramasubramanian (Sep 04)
- Re: Blocking MX query Tony Finch (Sep 04)
- Re: Blocking MX query William Herrin (Sep 04)
- Re: Blocking MX query Rich Kulawiec (Sep 04)
- Re: Blocking MX query Jimmy Hess (Sep 04)
- Re: Blocking MX query Mark Andrews (Sep 04)
- Re: Blocking MX query Suresh Ramasubramanian (Sep 04)
- Re: Blocking MX query Mark Andrews (Sep 04)
- Re: Blocking MX query Suresh Ramasubramanian (Sep 04)
- Re: Blocking MX query Jimmy Hess (Sep 04)
- Re: Blocking MX query Mark Andrews (Sep 04)
- Re: Blocking MX query Rich Kulawiec (Sep 04)
- Re: Blocking MX query Ray Wong (Sep 04)
- Re: Blocking MX query Suresh Ramasubramanian (Sep 04)
- Re: Blocking MX query Jay Ashworth (Sep 04)
- Re: Blocking MX query Suresh Ramasubramanian (Sep 04)
- Re: Blocking MX query Masataka Ohta (Sep 04)
- Re: Blocking MX query Suresh Ramasubramanian (Sep 04)
- Re: Blocking MX query valdis . kletnieks (Sep 04)
- Re: Blocking MX query Masataka Ohta (Sep 04)
- Re: Blocking MX query Suresh Ramasubramanian (Sep 04)