SurgeMail Archive: Re: [SurgeMail List] preventing or monitoring SSL flag removal

Subject:	Re: [SurgeMail List] preventing or monitoring SSL flag removal
From:	Lyle Giese
Date:	15-Nov-2014
Just to pass on my observations in here. YMMV. I would not have port 25 open inbound for client communication. Port 25, IMHO should only be used server to server communication. I crossed that bridge a long time ago when ISP started blocking port 25 and moved client inbound traffic to port 587. I have also opened up all necessary SSL enabled ports and allow SSL and non-SSL traffic. I am not 100% certain I can remove non-SSL traffic with my customer base. My customer base is mostly small businesses. You will find a myriad of weird one off applications out there yet that want to send email, but don't understand SSL yet. Unless you want to go through the pain of installing an SMTP relay service at each of these clients, you may find yourself stuck supporting non-SSL for quite a while. A classic is an old application called Atrix. It can send email via MAPI or direct. The problem with MAPI is that Outlook will want to encapsulate the outgoing quote(in PDF format) and non-Outlook clients will see a winmail.dat attachment. And that's not going to work very well... Lyle Giese LCR Computer Services, Inc. On 11/14/14 21:56, Michael Prichard wrote: In light of the information described from the link below, I was wondering what might be the best strategies to insure that our users aren’t having their e-mail connections unwittingly reduced to the non-SSL variety, despite their mail client settings: https://www.eff.org/deeplinks/2014/11/starttls-downgrade-attacks We currently have our servers configured with SSL enabled on the appropriate ports for all mail services (IMAP, SMTP, Surgeweb), but we’ve also left the default parts, namely 25, 110, 143, open for clients that seem to use these to initiate and then escalate to StartTLS (pardon the errors in my characterization), if I’m understanding that process correctly. I’d like to lock down our servers to restrict all communications to SSL protected ones. A quick scan of the status pages shows that all users are currently already connecting via SSL. Is the only way to do this to simply shut down the default non-SSL ports? Is there another flag that could be set to allow initial contact for the sake of launching StartTLS but then rejecting further communications if SSL is not established? If disabling the non-SSL ports is the best method, I’m assuming that I simply insert “disabled” in place of the port numbers. If doing so for the POP 110 ports, does this affect Surgemail mirroring? I have my g_mirror_nossl unchecked since my servers are connected via the open internet, but I don’t know if it uses the same port for SSL connections or uses 995 exclusively. Thanks for any advice. -Mike

Last Message | Next Message


Search website: