From nobody Sun Nov 24 21:45:31 2024
X-Original-To: freebsd-questions@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4XxMpl3Pbhz5dkbP
	for <freebsd-questions@mlmmj.nyi.freebsd.org>; Sun, 24 Nov 2024 21:46:07 +0000 (UTC)
	(envelope-from alex@alexburke.ca)
Received: from out-181.mta0.migadu.com (out-181.mta0.migadu.com [IPv6:2001:41d0:1004:224b::b5])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mx1.freebsd.org (Postfix) with ESMTPS id 4XxMpj2bk3z4n1x
	for <freebsd-questions@freebsd.org>; Sun, 24 Nov 2024 21:46:05 +0000 (UTC)
	(envelope-from alex@alexburke.ca)
Authentication-Results: mx1.freebsd.org;
	dkim=pass header.d=alexburke.ca header.s=key1 header.b=Hf4+szV9;
	spf=pass (mx1.freebsd.org: domain of alex@alexburke.ca designates 2001:41d0:1004:224b::b5 as permitted sender) smtp.mailfrom=alex@alexburke.ca;
	dmarc=pass (policy=reject) header.from=alexburke.ca
Date: Sun, 24 Nov 2024 21:45:31 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=alexburke.ca;
	s=key1; t=1732484756;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 in-reply-to:in-reply-to:references:references;
	bh=SOMvkyevwejb08Kd6RlY1N17xMgJE6MEi2M2hh6u/h4=;
	b=Hf4+szV94hIyv3ChemAw8P6zrd0E/HES6AA8vjBd8w2wfPSkMrNCs4gp0tBiFGgHSp4dmt
	Ckq2xlct2kIQlZcyGTrjH80DaeGK2wiIlE4p7g0R3MbnJNSH+1ny+9kVgTPBRn5wvkvQlg
	IOEUeBF0S9txJE3CgkpAB0nkfuTSb8s=
X-Report-Abuse: Please report any abuse attempt to abuse@migadu.com and include these headers.
From: Alexander Burke <alex@alexburke.ca>
To: freebsd-questions@freebsd.org
Message-ID: <64b3886a-c2df-48e4-8304-c3dcc9596726@alexburke.ca>
In-Reply-To: <CAAtiVbVBO6POVVHYF8tT8cJ=bUF+OO3RcBAvvuKPfVvc-PPEKg@mail.gmail.com>
References: <CAAtiVbVBO6POVVHYF8tT8cJ=bUF+OO3RcBAvvuKPfVvc-PPEKg@mail.gmail.com>
Subject: Re: dragonfly mail agent (dma) no tls by default
List-Id: User questions <freebsd-questions.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-questions
List-Help: <mailto:questions+help@freebsd.org>
List-Post: <mailto:questions@freebsd.org>
List-Subscribe: <mailto:questions+subscribe@freebsd.org>
List-Unsubscribe: <mailto:questions+unsubscribe@freebsd.org>
X-BeenThere: freebsd-questions@freebsd.org
Sender: owner-freebsd-questions@FreeBSD.org
MIME-Version: 1.0
Content-Type: multipart/alternative; 
	boundary="----=_Part_11_137684371.1732484731805"
X-Correlation-ID: <64b3886a-c2df-48e4-8304-c3dcc9596726@alexburke.ca>
X-Migadu-Flow: FLOW_OUT
X-Spamd-Result: default: False [-4.00 / 15.00];
	NEURAL_HAM_MEDIUM(-1.00)[-1.000];
	NEURAL_HAM_LONG(-1.00)[-1.000];
	NEURAL_HAM_SHORT(-1.00)[-0.997];
	DMARC_POLICY_ALLOW(-0.50)[alexburke.ca,reject];
	R_DKIM_ALLOW(-0.20)[alexburke.ca:s=key1];
	R_SPF_ALLOW(-0.20)[+ip6:2001:41d0:1004:224b::/64];
	MIME_GOOD(-0.10)[multipart/alternative,text/plain];
	RCPT_COUNT_ONE(0.00)[1];
	ASN(0.00)[asn:16276, ipnet:2001:41d0::/32, country:FR];
	MIME_TRACE(0.00)[0:+,1:+,2:~];
	MISSING_XM_UA(0.00)[];
	FREEFALL_USER(0.00)[alex];
	RCVD_COUNT_ZERO(0.00)[0];
	MID_RHS_MATCH_FROM(0.00)[];
	FROM_EQ_ENVFROM(0.00)[];
	FROM_HAS_DN(0.00)[];
	ARC_NA(0.00)[];
	TO_DN_NONE(0.00)[];
	MLMMJ_DEST(0.00)[freebsd-questions@freebsd.org];
	TO_MATCH_ENVRCPT_ALL(0.00)[];
	DKIM_TRACE(0.00)[alexburke.ca:+]
X-Rspamd-Queue-Id: 4XxMpj2bk3z4n1x
X-Spamd-Bar: ---

------=_Part_11_137684371.1732484731805
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

Hello,

>tls (yeah well, starttls)

I recommend =E2=80=94 in the strongest possible terms =E2=80=94 that you NE=
VER rely on STARTTLS, instead specifying the IMAPS (993) and SMTPS (465) po=
rts and mandating TLS on every connection.

2014: https://www.eff.org/deeplinks/2014/11/starttls-downgrade-attacks

2021: https://lwn.net/Articles/866481/

Cheers,
Alex
----------------------------------------

2024-11-24T17:32:30Z Paul Eskello <paul.eskello@gmail.com>:

> Hi gang (m/f/x),
>=20
> Today I accidentally discovered my mailhub did not use tls sending outbou=
nd email, for some mail. It turned out my old procmail uses sendmail which =
is now dma, since I upgraded to freebsd 14.=C2=A0
>=20
> I enabled SECURETRANSFER and STARTTLS in /etc/dma.conf. Done. :-) After t=
hinking about it, I presume I missed a HEADS UP, since all is well document=
ed in=C2=A0https://docs.freebsd.org/en/books/handbook/mail/ . I scribbled s=
ome lines to my upgrade checklist.
>=20
> But then I started to wonder: why is tls (yeah well, starttls) disabled b=
y default? Isn't that too conservative in soon-to-be 2025?
>=20
> P

------=_Part_11_137684371.1732484731805
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<html>
 <head>
  <meta name=3D"viewport" content=3D"width=3Ddevice-width, initial-scale=3D=
1.0">
 </head>
 <body>
  <div style=3D"font-family: sans-serif;">
   <span dir=3D"ltr" style=3D"margin-top:0; margin-bottom:0;">Hello,</span>
   <br>
   <br><span dir=3D"ltr" style=3D"margin-top:0; margin-bottom:0;">&gt;tls (=
yeah well, starttls)</span>
   <br>
   <br><span dir=3D"ltr" style=3D"margin-top:0; margin-bottom:0;">I recomme=
nd =E2=80=94 in the strongest possible terms =E2=80=94 that you NEVER rely =
on STARTTLS, instead specifying the IMAPS (993) and SMTPS (465) ports and m=
andating TLS on every connection.</span>
   <br>
   <br><span dir=3D"ltr" style=3D"margin-top:0; margin-bottom:0;">2014: htt=
ps://www.eff.org/deeplinks/2014/11/starttls-downgrade-attacks</span>
   <br>
   <br><span dir=3D"ltr" style=3D"margin-top:0; margin-bottom:0;">2021: htt=
ps://lwn.net/Articles/866481/</span>
   <br>
   <br><span dir=3D"ltr" style=3D"margin-top:0; margin-bottom:0;">Cheers,</=
span>
   <br><span dir=3D"ltr" style=3D"margin-top:0; margin-bottom:0;">Alex</spa=
n>
   <br>
  </div>
  <div class=3D"fairemail_quote">
   <div dir=3D"ltr" style=3D"font-family: sans-serif">
    <hr>
    <p>2024-11-24T17:32:30Z Paul Eskello &lt;paul.eskello@gmail.com&gt;:</p=
>
   </div>
   <blockquote style=3D"margin:0;border-left:3px solid #ccc; padding-left:1=
0px;">
    <div dir=3D"ltr">
     Hi gang (m/f/x),=20
     <div>
      <br>
     </div>
     <div>
      Today I accidentally discovered my mailhub did not use tls sending ou=
tbound email, for some mail. It turned out my old procmail uses sendmail wh=
ich is now dma, since I upgraded to freebsd 14.&nbsp;
     </div>
     <div>
      <br>
     </div>
     <div>
      I enabled SECURETRANSFER and STARTTLS in /etc/dma.conf. Done. :-) Aft=
er thinking about it, I presume I missed a HEADS UP, since all is well docu=
mented in&nbsp;<a href=3D"https://docs.freebsd.org/en/books/handbook/mail/"=
>https://docs.freebsd.org/en/books/handbook/mail/</a> . I scribbled some li=
nes to my upgrade checklist.
     </div>
     <div>
      <br>
     </div>
     <div>
      But then I started to wonder: why is tls (yeah well, starttls) disabl=
ed by default? Isn't that too conservative in soon-to-be 2025?
     </div>
     <div>
      <br>
     </div>
     <div>
      P
     </div>
    </div>
   </blockquote>
  </div>
 </body>
</html>
------=_Part_11_137684371.1732484731805--