John Levine <[email protected]> wrote: >> https://www.eff.org/deeplinks/2014/11/starttls-downgrade-attacks >> >> "In recent months, researchers have reported ISPs in the US and >> Thailand intercepting their customers' data to strip a security >> flag—called STARTTLS—from email traffic." >> >> Thanks to Viktor, properly configured postfix clients deployed with >> DANE should detect this and refuse to send the email unencrypted.
> This is an anti-spam measure on port 25 traffic on a few mobile
> networks. I expect there aren't a lot of copies of Postfix running on
> mobile devices. For all those other mobile users, if they're
Any person with a laptop with postfix on it being "tethered" might do this.
I do it regularly; I don't do direct delivery, but do authenticated (via
STARTTLS cert) relaying to a machine in the cloud... I have been using port
26 for this for a decade plus due to port 25 being blocked.
While the submit port might make sense, it was easier to configure this
as straight SMTP.
At least, if this happened to me, the relay would refuse to accept my email,
since it wasn't authenticated; I don't think that I force TLS on the client,
but I probably could.
It's not unusual for an entire office to wind up tethered to someone's mobile
device (or mifi) when a backhoe event occurs.
{and I'm happy to relay for friends and family}
--
Michael Richardson <[email protected]>, Sandelman Software Works
-= IPv6 IoT consulting =-
pgp964sJqUPVM.pgp
Description: PGP signature
_______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
