[Cialug] Email host evaluation

Claus Niesen cniesen at gmx.net
Mon Jul 4 22:16:44 CDT 2016


I'm aware that emails are sent in plain text, visible for all, once it leaves the server.  That's what pgp is for which of course most of us don't use. :)
 
The IMPA password is the thing I'm worried about with the ssl protocols. And if I should be worried because an old protocol is supported, especially with clients like the android email client where I can't tell what protocol it accepts.
 

Gesendet: Freitag, 01. Juli 2016 um 17:44 Uhr
Von: Pixie <pix at kepibu.org>
An: cialug at cialug.org
Betreff: Re: [Cialug] Email host evaluation
On 2016.07.01 17:07, Claus Niesen wrote:
> I'm wondering if Gandi's outbound smtp server being on the CASA CBL,
> CASA CBLESS, CASA CBLPLUS, and SORBS SPAM black lists. The first few
> are Chinese maintained lists so I doubt they are used by craigslist
> but I guess the last one could. Tuffmail isn't on any of them.

I wouldn't consider a SORBS listing a dealbreaker. They also have a
habit of listing Google and other large mail providers. Which, sure,
some spam gets out of any large outfit, but that's not really helpful.
Their affect will be accordingly reduced for any mail operator that both
uses them and pays attention to their mail stream.


> Security issues like the SSlv2 are slowly corrected but Tuffmail
> seems to be always behind. Although, because of that they didn't get
> hit with the heartbleed issue. Their current rating is still below
> par: https://www.ssllabs.com/ssltest/analyze.html?d=mail.mxes.net
>
> Do surface checks like this SSL analyzer really allow to get a good
> picture of an email provider? What is your thoughts of Tuffmail and
> the way Gandi is handling things?

That doesn't really tell you much. For one thing, that server appears
to be talking IMAPS over 443 (SSL labs doesn't check anything other than
443). But mostly, remember: encryption over SMTP is optional and
best-effort. Mail servers don't, and generally can't, validate
certificates--many SMTP server certs are self-signed, or signed by
organization-internal CAs. And if a server cannot connect using TLS,
they will by design fall back to plaintext transmission--so refusing to
use a weak cipher would just result in unencrypted transmission, not no
mail.

Now, one would hope the IMAP/POP3 side would be a little better, but
MUAs are pretty universally terrible and don't get nearly as much love
as browsers, so it's not very surprising that they'd need to support
much older and less-secure configurations. I would hope SSL3 could be
retired by now, but maybe they've still got people using an old version
of Eudora or something.

--
_______________________________________________
Cialug mailing list
Cialug at cialug.org
http://cialug.org/mailman/listinfo/cialug[http://cialug.org/mailman/listinfo/cialug]


More information about the Cialug mailing list