Date: Sun, 24 Nov 2024 21:45:31 +0000 (UTC) From: Alexander Burke <alex@alexburke.ca> To: freebsd-questions@freebsd.org Subject: Re: dragonfly mail agent (dma) no tls by default Message-ID: <64b3886a-c2df-48e4-8304-c3dcc9596726@alexburke.ca> In-Reply-To: <CAAtiVbVBO6POVVHYF8tT8cJ=bUF%2BOO3RcBAvvuKPfVvc-PPEKg@mail.gmail.com> References: <CAAtiVbVBO6POVVHYF8tT8cJ=bUF%2BOO3RcBAvvuKPfVvc-PPEKg@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
------=_Part_11_137684371.1732484731805 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Hello, >tls (yeah well, starttls) I recommend =E2=80=94 in the strongest possible terms =E2=80=94 that you NE= VER rely on STARTTLS, instead specifying the IMAPS (993) and SMTPS (465) po= rts and mandating TLS on every connection. 2014: https://www.eff.org/deeplinks/2014/11/starttls-downgrade-attacks 2021: https://lwn.net/Articles/866481/ Cheers, Alex ---------------------------------------- 2024-11-24T17:32:30Z Paul Eskello <paul.eskello@gmail.com>: > Hi gang (m/f/x), >=20 > Today I accidentally discovered my mailhub did not use tls sending outbou= nd email, for some mail. It turned out my old procmail uses sendmail which = is now dma, since I upgraded to freebsd 14.=C2=A0 >=20 > I enabled SECURETRANSFER and STARTTLS in /etc/dma.conf. Done. :-) After t= hinking about it, I presume I missed a HEADS UP, since all is well document= ed in=C2=A0https://docs.freebsd.org/en/books/handbook/mail/ . I scribbled s= ome lines to my upgrade checklist. >=20 > But then I started to wonder: why is tls (yeah well, starttls) disabled b= y default? Isn't that too conservative in soon-to-be 2025? >=20 > P ------=_Part_11_137684371.1732484731805 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable <html> <head> <meta name=3D"viewport" content=3D"width=3Ddevice-width, initial-scale=3D= 1.0"> </head> <body> <div style=3D"font-family: sans-serif;"> <span dir=3D"ltr" style=3D"margin-top:0; margin-bottom:0;">Hello,</span> <br> <br><span dir=3D"ltr" style=3D"margin-top:0; margin-bottom:0;">>tls (= yeah well, starttls)</span> <br> <br><span dir=3D"ltr" style=3D"margin-top:0; margin-bottom:0;">I recomme= nd =E2=80=94 in the strongest possible terms =E2=80=94 that you NEVER rely = on STARTTLS, instead specifying the IMAPS (993) and SMTPS (465) ports and m= andating TLS on every connection.</span> <br> <br><span dir=3D"ltr" style=3D"margin-top:0; margin-bottom:0;">2014: htt= ps://www.eff.org/deeplinks/2014/11/starttls-downgrade-attacks</span> <br> <br><span dir=3D"ltr" style=3D"margin-top:0; margin-bottom:0;">2021: htt= ps://lwn.net/Articles/866481/</span> <br> <br><span dir=3D"ltr" style=3D"margin-top:0; margin-bottom:0;">Cheers,</= span> <br><span dir=3D"ltr" style=3D"margin-top:0; margin-bottom:0;">Alex</spa= n> <br> </div> <div class=3D"fairemail_quote"> <div dir=3D"ltr" style=3D"font-family: sans-serif"> <hr> <p>2024-11-24T17:32:30Z Paul Eskello <paul.eskello@gmail.com>:</p= > </div> <blockquote style=3D"margin:0;border-left:3px solid #ccc; padding-left:1= 0px;"> <div dir=3D"ltr"> Hi gang (m/f/x),=20 <div> <br> </div> <div> Today I accidentally discovered my mailhub did not use tls sending ou= tbound email, for some mail. It turned out my old procmail uses sendmail wh= ich is now dma, since I upgraded to freebsd 14. </div> <div> <br> </div> <div> I enabled SECURETRANSFER and STARTTLS in /etc/dma.conf. Done. :-) Aft= er thinking about it, I presume I missed a HEADS UP, since all is well docu= mented in <a href=3D"https://docs.freebsd.org/en/books/handbook/mail/"= >https://docs.freebsd.org/en/books/handbook/mail/</a>; . I scribbled some li= nes to my upgrade checklist. </div> <div> <br> </div> <div> But then I started to wonder: why is tls (yeah well, starttls) disabl= ed by default? Isn't that too conservative in soon-to-be 2025? </div> <div> <br> </div> <div> P </div> </div> </blockquote> </div> </body> </html> ------=_Part_11_137684371.1732484731805--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?64b3886a-c2df-48e4-8304-c3dcc9596726>