Re: tls proxy in front of spamd?

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

From: Jussi Peltola

Subject: Re: tls proxy in front of spamd?

Date: Wednesday, May 5, 2010 - 8:41 am

On Wed, May 05, 2010 at 03:30:06PM +0100, Kevin Chadwick wrote:
quoted text> Do you not think it would be better for mail servers to try ssl on one
> port and then plain on port 25 if a rst or timeout occurs. Then it
> would be harder for attackers to force falling back to plain and
> forcing only tls would be easier.

Ugh...
If the attacker can modify the EHLO to not include STARTTLS he surely
can also send a RST in response to your attempt to connect to another
port.

Also, SSL is completely useless without DNSSEC. You just need to spoof
the MX records or the A records they point to and you've lost.

Current day email just is not secure. It's no use trying to pretend
otherwise.

Jussi Peltola

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

Messages in current thread:

Re: tls proxy in front of spamd?, Ted Unangst, (Tue May 4, 1:08 pm)

Re: tls proxy in front of spamd?, Hugo Villeneuve, (Tue May 4, 5:57 pm)

Re: tls proxy in front of spamd?, Kevin Chadwick, (Wed May 5, 1:46 am)

Re: tls proxy in front of spamd?, Peter N. M. Hansteen, (Wed May 5, 3:18 am)

Re: tls proxy in front of spamd?, Kevin Chadwick, (Wed May 5, 7:30 am)

tls proxy in front of spamd?, Kevin Chadwick, (Wed May 5, 8:06 am)

Re: tls proxy in front of spamd?, Jussi Peltola, (Wed May 5, 8:41 am)

Re: [Bulk] Re: tls proxy in front of spamd?, Kevin Chadwick, (Wed May 5, 11:27 am)

Re: [Bulk] Re: tls proxy in front of spamd?, Jussi Peltola, (Wed May 5, 5:21 pm)

Re: tls proxy in front of spamd?, Chris Dukes, (Thu May 6, 10:00 am)

Re: [Bulk] Re: tls proxy in front of spamd?, Kevin Chadwick, (Wed May 12, 3:12 pm)


linux-kernel:
Greg Kroah-Hartman	[PATCH 20/36] Driver core: Call device_pm_add() after bus_add_device() in device_a...
Sam Ravnborg	Re: Linux v2.6.27-rc1
Robert Hancock	Re: [PATCH 4/7] CPUFREQ: powernow-k8: Get transition latency from ACPI _PSS table
Steven Rostedt	[PATCH v3 2/6] string: add strtok_r to kernel
Andrew Morton	2.6.23-rc6-mm1
git:
Stephen R. van den Berg	Re: [RFC] origin link for cherry-pick and revert
Christian Stimming	git-gui: Fix broken revert confirmation.
Junio C Hamano	Re: git-svnimport
Anuj Gakhar	Git Architecture Question
Johannes Schindelin	Re: [PATCH] Fix approxidate("never") to always return 0
git-commits-head:
Linux Kernel Mailing List	ath9k_htc: Allocate URBs properly
Linux Kernel Mailing List	[ARM] dma: use new dmabounce_sync_for_xxx() for dma_sync_single_xxx()
Linux Kernel Mailing List	MIPS: Cavium: Remove unused watchdog code.
Linux Kernel Mailing List	V4L/DVB (8976): af9015: Add USB ID for AVerMedia A309
Linux Kernel Mailing List	ARM: 5670/1: bcmring: add default configuration for bcmring arch
linux-netdev:
Gerrit Renker	v2 [PATCH 1/4] dccp: Limit feature negotiation to connection setup phase
Daniel Lezcano	getsockopt(TCP_DEFER_ACCEPT) value change
David Miller	Re: 2.6.27.18: bnx2/tg3: BUG: "scheduling while atomic" trying to ifenslave a seco...
Ingo Molnar	Re: [regression] nf_iterate(), BUG: unable to handle kernel NULL pointer dereference
Gerrit Renker	[PATCH 37/37] dccp: Debugging functions for feature negotiation
openbsd-misc:
Christophe Rioux	Implementation example of snmp
Ryan McBride	Re: Packets Per Second Limit?
Nick Holland	Re: booting openbsd on eee without cd-rom
Bryan Irvine	Re: OpenBSD 4.7 Released, May 19 2010
Jacob Yocom-Piatt	Re: Same shit all over again