Join devRant
Do all the things like
++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatar
Sign Up
Pipeless API
From the creators of devRant, Pipeless lets you power real-time personalized recommendations and activity feeds using a simple API
Learn More
-
The problem with StartTLS goes even further: If certificates are validated, then they should match either the target domain, or the hostnames in the MX records.
Once you are a man in the middle, you can just change the MX records to your servers, and even with certificate validation of the mail server, you can now read the mails.
Anyway, we do have some methods against this:
- StartTLS everywhere, a list of mailservers that always use can do TLS; there are e.g. plugins for maikservers
- DANE, a DNS entry with pinned certificates and StartTLS announcement; requires dnssec
- MTA-STS which is a mix of DNS and a policy delivered per HTTPS, to announce permanent availability StartTLS, including MX record pinning. Once a sending mailserver sees a policy, it stores the policy until it expires. -
-
@assmaster nice bot :)
-
@115105109 I'm still trying to understand email myself honestly. I can send emails via nc and it's often done for troubleshooting, but there's so much more to email than just those basic emails. In fact that's something that annoys me about email, the protocol has been made so damn complicated with extension after extension. But there's also a reason for that, and government mail servers that don't do TLS showcase that quite well. Email has not been designed with futureproofing in mind. So extensions are made all the time to make this trainwreck of a protocol work somewhat quarter-ass decent.
Everyone that runs a mail server regrets and hates running a mail server, to the point where I'd actually consider it a metric to determine who has run a mail server and who hasn't. But replacing it.. while we all want to, we all know that compatibility is not in our favor. It's hard to make an extension and make people adopt it, and it's gonna be even harder to make people use a new protocol. -
@Condor I disagree with you and certainly not regret running a mail server.
Sure, some extensions are quite... messy but almost always I use one of authentication, StartTLS, UTF-8 and delivery notifications.
And government servers not supporting TLS... They are always years behind current development and what was a few years ago? Even many mail providers did not support TLS. Just because they are to idiotic to configure TLS as they would do for any other application using TLS, does not show that SMTP is complicated.
On contrary, while I find SMTP a bit verbose, it is human readable and can even be performed by a human, if needed. -
@sbiewald well yeah I guess there are exceptions to that, just many people that I talked to or started setting up a mail server of their own recently absolutely hated it. Though eventually I guess it becomes more and more familiar and less annoying to work with mail servers. And when they work they're awesome of course.
TLS might not have been ideal as an example, though STARTTLS definitely was one of the extensions of otherwise plain email. And it was poorly done IMO, there are much better implementations in other protocols. Maybe it's indeed just government stuff with TLS but I find it super annoying that I have to bend myself like a pretzel to support every other mail server that doesn't support this or that feature.
The SMTP protocol can indeed be performed by humans and that's awesome, but so can many other protocols. Retrieving a web page is also as simple as "GET /webpage.html" (HTTP/1.1 seemingly optional).
I absolutely love the email protocols.
IMAP:
x1 LOGIN user@domain password
x2 LIST "" "*"
x3 SELECT Inbox
x4 LOGOUT
Because a state machine is clearly too hard to implement in server software, clients must instead do the state machine thing and therefore it must be in the IMAP protocol.
SMTP:
I should be careful with this one since there's already more than enough spam on the interwebs, and it's a good thing that the "developers" of these email bombers don't know jack shit about the protocol. But suffice it to say that much like on a real letter, you have an envelope and a letter inside. You know these envelopes with a transparent window so you can print the address information on the letter? Or the "regular" envelopes where you write it on the envelope itself?
Yeah not with SMTP. Both your envelope and your letter have them, and they can be different. That's why you can have an email in your inbox that seemingly came from yourself. The mail server only checks for the envelope headers, and as long as everything checks out domain-wise and such, it will be accepted. Then the mail client checks the headers in the letter itself, the data field as far as the mail server is concerned (and it doesn't look at it). Can be something else, can be nothing at all. Emails can even be sent in the future or the past.
Postfix' main.cf:
You have this property "mynetworks" in /etc/postfix/main.cf where you'd imagine you put your own networks in, right? I dunno, to let Postfix discover what your networks are.. like it says on the tin? Haha, nope. This is a property that defines which networks are allowed no authentication at all to the mail server, and that is exactly what makes an open relay an open relay. If any one of the addresses in your networks (such as a gateway, every network has one) is also where your SMTP traffic flows into the mail server from, congrats the whole internet can now send through your mail server without authentication. And all because it was part of "your networks".
Yeah when it comes to naming things, the protocol designers sure have room for improvement... And fuck email.
Oh, bonus one - STARTTLS:
So SMTP has this thing called STARTTLS where you can.. unlike mynetworks, actually starts a TLS connection like it says on the tin. The problem is that almost every mail server uses self-signed certificates so they're basically meaningless. You don't have a chain of trust. Also not everyone supports it *cough* government *cough*, so if you want to send email to those servers, your TLS policy must be opportunistic, not enforced. And as an icing on the cake, if anything is wrong with the TLS connection (such as an MITM attack), the protocol will actively downgrade to plain. I dunno.. isn't that exactly what the MITM attacker wants? Yeah, great design right there. Are the designers of the email protocols fucking retarded?
rant
shitty protocols
imap
smtp