[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [msmtp-users] [mpop-users] support SHA-2 and SHA-3



Martin Lambers:
First, you need a convincing reason to add a feature; the lack of a convincing reason *not* to add it is not sufficient.

Okay. I would use SHA-512 if I could use it. :)

For SHA-3, the same as above applies, but additionally msmtp/mpop should always use the appropriate GnuTLS (or OpenSSL) function to get a fingerprint and should never implement fingerprint calculation themselves. That can only lead to trouble.

I agree.

But msmtp/mpop do not do this: they will never fall back to unencrypted SMTP/POP.

Ah, I was not aware of the no-fallback. There have been quite a few cases of ISPs just filtering out "StartTLS" from Clients to MTAs:
https://www.techdirt.com/blog/netneutrality/articles/20141012/06344928801/revealed-isps-already-violating-net-neutrality-to-block-encryption-make-everyone-less-safe-online.shtml
http://www.heise.de/newsticker/meldung/Eingriff-in-E-Mail-Verschluesselung-durch-Mobilfunknetz-von-O2-206233.html

Proper TLS beats StartTLS hands-down.
I don't think that is true in general. Do you have any information that supports this claim?

Well one core-argument is the downgrade attack. But someone wrote more about it here: https://www.agwa.name/blog/post/starttls_considered_harmful

Msmtp should now default to the mail submission port 587, with TLS enabled (note that this *requires* STARTTLS). That would require changing the defaults for 'port' and 'tls'. For mpop, only the second applies.

I would welcome a change, but proposing SMTPS on Port 465 instead: again, no StartTLS. But our disagreement is not that relevant, because:

The problem is that 'tls on' as a default does not simply work, because you need at least 'tls_trust_file', and that is unfortunately different everywhere.

That's a very valid point and enough to make me redraw my proposal. :)

Thanks for all your work again!

--
ilf

Über 80 Millionen Deutsche benutzen keine Konsole. Klick dich nicht weg!
		-- Eine Initiative des Bundesamtes für Tastaturbenutzung

Attachment: signature.asc
Description: Digital signature