Getting STARTTLS Everywhere

ppm · 15 Sep 2018, 07:30 PM

In the Fastmail blog, a June 2018 post talks about STARTTLS (https://fastmail.blog/2018/06/27/let...ls-everywhere/).

When testing Fastmail.com on the STARTTLS Everywhere site (https://starttls-everywhere.org/results/?fastmail.com), it reveals that Fastmail.com's mailserver supports STARTTLS, uses great TLS parameters, and presents a valid certificate, which is tops.

However, it also says that the Fastmail.com domain was not added to the Electronic Frontier Foundation's STARTTLS Policy List, which would reportedly help mitigate downgrade attacks, so servers have another point of reference to discover that Fastmail support STARTTLS.

May Fastmail consider doing so?

BritTim · 16 Sep 2018, 11:51 PM

The real solution to the man-in-the-middle attacks that allow downgrading of the security in message transfers is improved security around DNS. As I understand it, there are no known ways to intercept SMTP traffic via downgrade attacks when DNSSEC is properly implemented. The EFF STARTTLS policy list, which may or may not make a difference depending on whether the correspondent mail service references it, is an inelegant hack.

ppm · 16 Sep 2018, 11:58 PM

Quote:

Originally Posted by BritTim

The real solution to the man-in-the-middle attacks that allow downgrading of the security in message transfers is improved security around DNS. As I understand it, there are no known ways to intercept SMTP traffic via downgrade attacks when DNSSEC is properly implemented. The EFF STARTTLS policy list, which may or may not make a difference depending on whether the correspondent mail service references it, is an inelegant hack.

Thanks for your comment on my query. Looks like this policy list is not so useful, then.

ewal · 23 Sep 2018, 05:17 PM

Just as a side related note on STARTTLS. When I saw the recent email that Fastmail sent out on this I checked my domains (where I point the MX records at Fastmail) to check their status and found they all failed.

Anyway, after checking with Fastmail support, turns out I was using the old Fastmail MX servers (I had created my domains years ago).

Anyway a quick change of the MX records to following sorted things out:

in1-smtp.messagingengine.com
in2-smtp.messagingengine.com

The old servers (still working) are

in1.smtp.messagingengine.com.
in2.smtp.messagingengine.com

So just change the first period to a dash.

Fastmail say they will identify and notify users who are still using the old MX servers.

15 Sep 2018, 07:30 PM	#1
ppm Member Join Date: Nov 2003 Location: Hong Kong Posts: 79	Getting STARTTLS Everywhere In the Fastmail blog, a June 2018 post talks about STARTTLS (https://fastmail.blog/2018/06/27/let...ls-everywhere/). When testing Fastmail.com on the STARTTLS Everywhere site (https://starttls-everywhere.org/results/?fastmail.com), it reveals that Fastmail.com's mailserver supports STARTTLS, uses great TLS parameters, and presents a valid certificate, which is tops. However, it also says that the Fastmail.com domain was not added to the Electronic Frontier Foundation's STARTTLS Policy List, which would reportedly help mitigate downgrade attacks, so servers have another point of reference to discover that Fastmail support STARTTLS. May Fastmail consider doing so?

16 Sep 2018, 11:51 PM	#2
BritTim The "e" in e-mail Join Date: May 2003 Location: mostly in Thailand Posts: 3,090	The real solution to the man-in-the-middle attacks that allow downgrading of the security in message transfers is improved security around DNS. As I understand it, there are no known ways to intercept SMTP traffic via downgrade attacks when DNSSEC is properly implemented. The EFF STARTTLS policy list, which may or may not make a difference depending on whether the correspondent mail service references it, is an inelegant hack.

23 Sep 2018, 05:17 PM	#4
ewal Master of the @ Join Date: Apr 2002 Location: West Sussex, UK Posts: 1,334	Just as a side related note on STARTTLS. When I saw the recent email that Fastmail sent out on this I checked my domains (where I point the MX records at Fastmail) to check their status and found they all failed. Anyway, after checking with Fastmail support, turns out I was using the old Fastmail MX servers (I had created my domains years ago). Anyway a quick change of the MX records to following sorted things out: in1-smtp.messagingengine.com in2-smtp.messagingengine.com The old servers (still working) are in1.smtp.messagingengine.com. in2.smtp.messagingengine.com So just change the first period to a dash. Fastmail say they will identify and notify users who are still using the old MX servers.