EmailDiscussions.com

EmailDiscussions.com (http://www.emaildiscussions.com/index.php)
-   FastMail Forum (http://www.emaildiscussions.com/forumdisplay.php?f=27)
-   -   Getting STARTTLS Everywhere (http://www.emaildiscussions.com/showthread.php?t=73942)

ppm 15 Sep 2018 08:30 PM

Getting STARTTLS Everywhere
 
In the Fastmail blog, a June 2018 post talks about STARTTLS (https://fastmail.blog/2018/06/27/let...ls-everywhere/).

When testing Fastmail.com on the STARTTLS Everywhere site (https://starttls-everywhere.org/results/?fastmail.com), it reveals that Fastmail.com's mailserver supports STARTTLS, uses great TLS parameters, and presents a valid certificate, which is tops.

However, it also says that the Fastmail.com domain was not added to the Electronic Frontier Foundation's STARTTLS Policy List, which would reportedly help mitigate downgrade attacks, so servers have another point of reference to discover that Fastmail support STARTTLS.

May Fastmail consider doing so?

BritTim 17 Sep 2018 12:51 AM

The real solution to the man-in-the-middle attacks that allow downgrading of the security in message transfers is improved security around DNS. As I understand it, there are no known ways to intercept SMTP traffic via downgrade attacks when DNSSEC is properly implemented. The EFF STARTTLS policy list, which may or may not make a difference depending on whether the correspondent mail service references it, is an inelegant hack.

ppm 17 Sep 2018 12:58 AM

Thanks, Tim
 
Quote:

Originally Posted by BritTim (Post 607768)
The real solution to the man-in-the-middle attacks that allow downgrading of the security in message transfers is improved security around DNS. As I understand it, there are no known ways to intercept SMTP traffic via downgrade attacks when DNSSEC is properly implemented. The EFF STARTTLS policy list, which may or may not make a difference depending on whether the correspondent mail service references it, is an inelegant hack.

Thanks for your comment on my query. Looks like this policy list is not so useful, then.

ewal 23 Sep 2018 06:17 PM

Just as a side related note on STARTTLS. When I saw the recent email that Fastmail sent out on this I checked my domains (where I point the MX records at Fastmail) to check their status and found they all failed.

Anyway, after checking with Fastmail support, turns out I was using the old Fastmail MX servers (I had created my domains years ago).

Anyway a quick change of the MX records to following sorted things out:

in1-smtp.messagingengine.com
in2-smtp.messagingengine.com

The old servers (still working) are

in1.smtp.messagingengine.com.
in2.smtp.messagingengine.com

So just change the first period to a dash.

Fastmail say they will identify and notify users who are still using the old MX servers.


All times are GMT +9. The time now is 09:50 PM.


Copyright EmailDiscussions.com 1998-2013. All Rights Reserved. Privacy Policy