[Cryptography] SUBMIT is not SMTP, was IAB Statement on Internet Confidentiality
Viktor Dukhovni
cryptography at dukhovni.org
Wed Nov 19 18:42:12 EST 2014
On Wed, Nov 19, 2014 at 02:37:11PM -0800, Abe Singer wrote:
> Regarding the justification of breaking the encrytped, authenticated
> session to check for spam, if an ISP considers that activity on port
> 587 to be acceptable, then it really has no justification do
> otherwise for the same on port 25.
This is the cryptography list. I think we can have naive discussion
of email protocols and infrastructure somewhere else.
Summary:
* An ISP was observed to strip STARTTLS on port 25, rather than
block the port outright.
* While this could have been nefarious, it is far more likely an
anti-spam measure. Of course opinions about whether anti-spam
measures by ISPs are nefarious or not vary.
* Most MUAs should be using port 587 submission, and would not have
been affected.
* The clients in question were exceedingly unlikey to have been MTAs.
* MITM resistance for MTA-to-MTA traffic is available non-scalably
via bilateral agreements between peer systems.
* MITM resistance for MTA-to-MTA traffic is also available scalably
via DNSSEC + DANE, but current deployment numbers for DNSSEC
and the sheer novelty of DANE for SMTP mean that coverage is
for now *very* thin. Initial deployments are mostly in Germany.
* Some folks on this list don't give a hoot about TLS for SMTP
transport, since it is not end-to-end. Indeed SMTP transport
security does not protect data at rest.
I think that about covers it. Perhaps we can move on.
--
Viktor.
More information about the cryptography
mailing list