nanog mailing list archives
Re: Transparent hijacking of SMTP submission...
From: Owen DeLong <owen () delong com>
Date: Wed, 3 Dec 2014 13:00:15 -0800
On Dec 1, 2014, at 5:25 AM, Livingood, Jason <Jason_Livingood () cable comcast com> wrote: On 11/29/14, 3:17 PM, "John Levine" <johnl () iecc com> wrote:PS: I know enough technical people at Comcast that I would be extremely surprised if it were Comcast doing this. There's plenty not to like about the corporation, but the technical staff are quite competent.Thanks, John! I can tell folks here unequivocally that (1) the recent press article on STARTTLS re-writing did *not* involve Comcast and (2) Comcast does not engage in the claimed practice. In fact, weąre supporters and early deployers of STARTTLS on our own mail service. I do not know how to explain the issue reported on this list. Absent a packet capture it is impossible for me to analyze this further. If anything, I could only imagine it was a misconfiguration someplace, but I have no idea where or in what network element thatąd even be possible. Iąm happy to work with anyone that has more info to try to troubleshoot this. - Jason Livingood Comcast
I have encountered similar issues on some hotel networks. Usually, a well meaning, but severely misinformed hotel administrator decides that: 1. People don’t know what they’re doing and configure they’re laptops to use their [corporate|home|usual] mailserver even when they’re on the road, often without authentication. 2. Debugging people’s laptops for them takes a lot of time and reduces customer satisfaction. so 3. Let’s just redirect all port 25/587 to our own local SMTP proxy which can’t possibly support TLS because we don’t have all the right certificates (nor should we), so it won’t announce the STARTLES capability. I don’t know if that’s what happened in this case, because, as you say, without first-hand information and packet-captures, it’s impossible to tell, but I will say that if you intend to use TLS, make sure your MUA REQUIRES TLS, rather than preferring TLS when available (as is default on many MUAs, unfortunately). Owen
Current thread:
- Re: Transparent hijacking of SMTP submission... Livingood, Jason (Dec 01)
- <Possible follow-ups>
- Re: Transparent hijacking of SMTP submission... Livingood, Jason (Dec 01)
- Re: Transparent hijacking of SMTP submission... Owen DeLong (Dec 03)
- Re: Transparent hijacking of SMTP submission... Owen DeLong (Dec 03)
- Re: Transparent hijacking of SMTP submission... John R. Levine (Dec 03)
- Re: Transparent hijacking of SMTP submission... Owen DeLong (Dec 03)