On Sat, Oct 25, 2014 at 01:13:38AM +0200, Per Thorsheim wrote:
> I've known for many years that Messagelabs, now part of Symantec,
> requests a valid client certificate from a narrow list of CAs if you
> want to use starttls with their servers, at least *.eu.messaglelabs.com.
Can you explain what you're talking about? Sending mail to their
servers via TLS works just fine, with no client certificates of
any kind.
$ posttls-finger -dsha256 symantec.com
posttls-finger: Connected to cluster4.us.messagelabs.com[216.82.253.227]:25
posttls-finger: < 220 server-10.tower-170.messagelabs.com ESMTP
posttls-finger: > EHLO amnesiac.example
posttls-finger: < 250-server-10.tower-170.messagelabs.com
posttls-finger: < 250-STARTTLS
posttls-finger: < 250-PIPELINING
posttls-finger: < 250 8BITMIME
posttls-finger: > STARTTLS
posttls-finger: < 220 ready for TLS
posttls-finger: cluster4.us.messagelabs.com[216.82.253.227]:25: Matched
subjectAltName: cluster4.us.messagelabs.com
posttls-finger: cluster4.us.messagelabs.com[216.82.253.227]:25:
subjectAltName: cluster4a.us.messagelabs.com
posttls-finger: cluster4.us.messagelabs.com[216.82.253.227]:25:
subjectAltName: cluster4out.us.messagelabs.com
posttls-finger: cluster4.us.messagelabs.com[216.82.253.227]:25:
subjectAltName: mail170.messagelabs.com
posttls-finger: cluster4.us.messagelabs.com[216.82.253.227]:25 CommonName
mail170.messagelabs.com
posttls-finger: certificate verification failed for
cluster4.us.messagelabs.com[216.82.253.227]:25: untrusted issuer
/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
posttls-finger: cluster4.us.messagelabs.com[216.82.253.227]:25:
subject_CN=cluster4.us.messagelabs.com, issuer_CN=Symantec Class 3 Secure
Server CA - G4,
fingerprint=50:F0:54:A2:DE:8B:F1:8B:30:41:08:E6:40:DF:C9:2E:68:0C:43:BD:13:F9:40:78:EB:78:C7:F8:56:B8:F4:BB,
pkey_fingerprint=AC:5D:D9:85:24:52:21:7C:BE:97:C8:C9:C2:35:E9:FA:1A:8E:6E:19:12:B7:28:EF:35:A5:4C:E3:E8:8C:AA:08
posttls-finger: Untrusted TLS connection established to
cluster4.us.messagelabs.com[216.82.253.227]:25: unknown with cipher
DHE-RSA-AES256-SHA (256/256 bits)
posttls-finger: > EHLO amnesiac.example
posttls-finger: < 250-server-10.tower-170.messagelabs.com
posttls-finger: < 250-PIPELINING
posttls-finger: < 250 8BITMIME
posttls-finger: > QUIT
posttls-finger: < 221 server-10.tower-170.messagelabs.com
Likewise receiving mail from them also works just fine over TLS,
with the self-signed certificate on my server.
Aug 22 21:55:45 amnesiac postfix/smtpd[28468]: connect from
mail1.bemta8.messagelabs.com[216.82.243.197]
Aug 22 21:55:45 amnesiac postfix/smtpd[28468]: Anonymous TLS connection
established from mail1.bemta8.messagelabs.com[216.82.243.197]: TLSv1.1 with
cipher DHE-RSA-AES256-SHA (256/256 bits)
Aug 22 21:55:46 amnesiac postfix/smtpd[28468]: 0C6C52AACA3:
client=mail1.bemta8.messagelabs.com[216.82.243.197]
Aug 22 21:55:46 amnesiac postfix/cleanup[27403]: 0C6C52AACA3:
message-id=<...>
Aug 22 21:55:46 amnesiac postfix/qmgr[628]: 0C6C52AACA3: from=<...>,
size=3428, nrcpt=1 (queue active)
Aug 22 21:55:46 amnesiac postfix/virtual[7634]: 0C6C52AACA3: to=<...>,
orig_to=<...>, relay=virtual, delay=0.51, delays=0.51/0/0/0, dsn=2.0.0,
status=sent (delivered to maildir)
Aug 22 21:55:46 amnesiac postfix/qmgr[628]: 0C6C52AACA3: removed
> I just assume that a whole lot of mail must be sent in plain due to
> their very narrow approach?
What narrow approach is that?
Some of the larger outsourced email security services act in part
like transparent proxies, mirroring the features of the sending
client to the receiving system, so if the origin employs STARTTLS,
so does the proxy. Thus not all the mail I've received from them
is TLS protected, but most is. And indeed for my limited sample
use of TLS seems to correlate with the sender domain.
--
Viktor.
