nanog mailing list archives
Re: SMTP Over TLS on Port 26 - Implicit TLS Proposal [Feedback Request]
From: Brandon Martin <lists.nanog () monmotha net>
Date: Fri, 11 Jan 2019 21:58:22 -0500
On 1/11/19 9:52 PM, William Herrin wrote:
Your other idea of signaling via DNS that a man in the middle is present if the target SMTP server fails to support encryption could have merit. I think the specific mechanism (overloading the host name) is unwise but I'd be interested to see the concept developed further.
If there's one takeaway I have from this thread to date, it's this.An advisory mechanism in DNS, such as via a TXT record, that says something along the lines of "We always support STARTTLS - if you can't negotiate that, then you are probably experiencing a MITM" could have merit. DANE appears to already offer this (and more), but as has been pointed out, can be complex to deploy.
The downside I potentially see to this is that, if someone can MITM DNS (even if not the SMTP TCP session itself) and DNSSEC is not mandatory for this mechanism, that attacker could potentially cause a DoS against anyone they choose who does NOT support STARTTLS by falsely signaling that it is to be expected. I'm not sure how real-world of a threat that is given increasing adoption of STARTTLS, but it's definitely something to consider.
-- Brandon Martin
Current thread:
- SMTP Over TLS on Port 26 - Implicit TLS Proposal [Feedback Request] Viruthagiri Thirumavalavan (Jan 11)
- Re: SMTP Over TLS on Port 26 - Implicit TLS Proposal [Feedback Request] Michael Thomas (Jan 11)
- Re: SMTP Over TLS on Port 26 - Implicit TLS Proposal [Feedback Request] Doug Royer (Jan 11)
- Re: SMTP Over TLS on Port 26 - Implicit TLS Proposal [Feedback Request] Viruthagiri Thirumavalavan (Jan 11)
- Re: SMTP Over TLS on Port 26 - Implicit TLS Proposal [Feedback Request] Suresh Ramasubramanian (Jan 11)
- Re: SMTP Over TLS on Port 26 - Implicit TLS Proposal [Feedback Request] Viruthagiri Thirumavalavan (Jan 11)
- Re: SMTP Over TLS on Port 26 - Implicit TLS Proposal [Feedback Request] William Herrin (Jan 11)
- Re: SMTP Over TLS on Port 26 - Implicit TLS Proposal [Feedback Request] Viruthagiri Thirumavalavan (Jan 11)
- Re: SMTP Over TLS on Port 26 - Implicit TLS Proposal [Feedback Request] William Herrin (Jan 11)
- Re: SMTP Over TLS on Port 26 - Implicit TLS Proposal [Feedback Request] Viruthagiri Thirumavalavan (Jan 11)
- Re: SMTP Over TLS on Port 26 - Implicit TLS Proposal [Feedback Request] William Herrin (Jan 11)
- Re: SMTP Over TLS on Port 26 - Implicit TLS Proposal [Feedback Request] Brandon Martin (Jan 11)
- Re: SMTP Over TLS on Port 26 - Implicit TLS Proposal [Feedback Request] Viruthagiri Thirumavalavan (Jan 11)
- Re: SMTP Over TLS on Port 26 - Implicit TLS Proposal [Feedback Request] Suresh Ramasubramanian (Jan 11)
- Re: SMTP Over TLS on Port 26 - Implicit TLS Proposal [Feedback Request] Viruthagiri Thirumavalavan (Jan 11)
- Re: SMTP Over TLS on Port 26 - Implicit TLS Proposal [Feedback Request] valdis . kletnieks (Jan 11)
- Re: SMTP Over TLS on Port 26 - Implicit TLS Proposal [Feedback Request] valdis . kletnieks (Jan 11)
- Re: SMTP Over TLS on Port 26 - Implicit TLS Proposal [Feedback Request] Viruthagiri Thirumavalavan (Jan 11)
- Re: SMTP Over TLS on Port 26 - Implicit TLS Proposal [Feedback Request] Töma Gavrichenkov (Jan 12)
- Re: SMTP Over TLS on Port 26 - Implicit TLS Proposal [Feedback Request] Viruthagiri Thirumavalavan (Jan 12)
- Re: SMTP Over TLS on Port 26 - Implicit TLS Proposal [Feedback Request] Viruthagiri Thirumavalavan (Jan 11)
- Re: SMTP Over TLS on Port 26 - Implicit TLS Proposal [Feedback Request] Robert Blayzor (Jan 14)
- Re: SMTP Over TLS on Port 26 - Implicit TLS Proposal [Feedback Request] Viruthagiri Thirumavalavan (Jan 14)