Re: Password issue

2019-10-12 Thread John Tulp via dovecot 
And what i meant to say by "no security" is no encryption on port 25,
sending and receiving from other MTA.

On Sat, 2019-10-12 at 18:43 -0600, @lbutlr via dovecot wrote:
> On Oct 12, 2019, at 8:10 AM, johnt...@tulpex.com wrote:
> > I run my mail server with no security. 
> 
> This is extremely foolish and your “reasons” are even more foolish. If you 
> allow unauthenticated users to send mail from your server then you *will* be 
> blacklisted, and rightly so.
> 
> (For example, it is trivial to get a free and automated certificate for your 
> server that allows you to encrypt all of your connections).
> 
>

Re: Password issue

2019-10-12 Thread John Tulp via dovecot 
I am the only user and I can only connect my mail client from 1 ip
address.


On Sat, 2019-10-12 at 18:43 -0600, @lbutlr via dovecot wrote:
> On Oct 12, 2019, at 8:10 AM, johnt...@tulpex.com wrote:
> > I run my mail server with no security. 
> 
> This is extremely foolish and your “reasons” are even more foolish. If you 
> allow unauthenticated users to send mail from your server then you *will* be 
> blacklisted, and rightly so.
> 
> (For example, it is trivial to get a free and automated certificate for your 
> server that allows you to encrypt all of your connections).
> 
>

Re: Password issue

2019-10-12 Thread John Tulp via dovecot 
See comment in context below:

On Fri, 2019-10-11 at 19:26 -0600, @lbutlr via dovecot wrote:
> On Oct 11, 2019, at 2:00 PM, Joseph Tam  wrote:
> > On Fri, 11 Oct 2019, @lbutlr wrote:
> > 
>  Oct 09 16:02:50 imap-login: Info: Aborted login (auth failed, 5 attempts 
>  in 33 secs): user=, xx.xx.xx.xx, PLAIN, TLS
> >> 
> >> This turns out to have been caused by the MUA attempting to connect to
> >> port 25 (despite clearly showing port 587 in the MUA settings).  Thanks
> >> to Mac/iOS account syncing, merely trying to change the port never
> >> seemed to work, but removing the account entirely and recreating it got
> >> it to connect to port 587 as configured.
> > 
> > Yes, MacOSX Mail.app seems to bumble around, even ignoring your
> > port settings to find the "correct" configuration.  (This happens,
> > for example, when there is a transient network problem).  You need to
> > disable "Automatically manage connections" to stop these mail readers
> > from wandering around and strictly use your settings.
> 
> There is no such setting in iOS or iPadOS though, and setting the explicit 
> port for SMTP and.or IMAP advanced settings didn’t change the port it 
> actually tried connecting go until I removed the account and re-added it.
> 
> No problems on iOS 12 or macOS 10.14 so far.
> 
> > This behaviour can be exploited to grab credentials using a MITM attacks,
> > by convincing MacOSX clients that the target server does not support
> > SSL/TLS, then providing a cleartext listener or proxy.
> 
> I have filed a suggestion to have a setting for never connecting to a mail 
> server without security, but nothing so far. Perhaps I should refile it as a 
> critical security flaw?
> 
> 
I run my mail server with no security.  So-called security provides only
a false sense of security, as state-sponsored attacks are beyond the
ability of small organizations to prevent, since encryption to them is
easy to understand with thousands of employees working on it, where for
the lay person it's virtually impossible to understand well enough to
thwart state-sponsored attacks that compromise the encryption configured
on the lay person's machine.  Once encryption is compromised, the lay
person's machine would be at the mercy of the attacker.  In fact, I just
received an attack email this week which revealed that one of my
friend's address book was used, thus I knew his machine had been
compromised.  Of course he had no idea, had difficulty even believing
what I said was true, etc., but I digress.

If I do not rely on a third party to issue a certificate to permit me to
run my mail server, I can run my mail server according to my own policy.
If I need to get a cert from a third party, I am subject to their
policies.  If a nation-state wishes to prevent a person from running
their own web server, denying a digital cert would accomplish that if
the digital cert were required.  We've seen in the news frequently how
many large tech companies are quite willing to do the bidding of
governments.  Digital certs are nothing more than leading down the path
of total state censorship, as well as the very dangerous path of given
deep-pocketed actors the ability to fake/break certs and create false
transactions that for the innocent people involved become
non-repudiable.

How does one run a mail server without implementing security, that is -
how do I know that senders sending me email are who they say they are ?

Simple answer: I don't care who they are.  I simply use my firewall to
ban rogue IP's, even whole ranges of rogue IP's.  MY policy is to assign
RESPONSIBILITY to public IP addresses.  If an IP address does not behave
ethically towards my server, I simply DROP all packets between me and
them.  (Interestingly, every time I run my scripts and ban all the
current bad actors, the attacks in general slow way down - which proves
that the rogue IPs on not all acting independently).

This approach works extremely well, especially since SO MANY
datacenters, both in the US and in other countries simply laugh off
abuse reports.  Thus we can see that THEY are SUPPORTING rogue activity
on the internet.  Without this support, the rogue activity could not
continue.  Case in point: providers of mobile phone networks do not do
proper EGRESS filtering from THEIR cell phone networks, otherwise, they
would NOT ALLOW mobile phones on their network to pretend to be mail
servers (MTA) and send packets to DEST PORT 25, when they should be
using MAIL CLIENT ports.  Thus, mobile providers provide support for
hacking that they very easily could drop support for by doing proper
egress filtering.  Not to mention, if they see such activity, they could
NOTIFY their CUSTOMER that their phone was probably hacked !  What a
great service for their customers.  But, sadly, they simply do not do
egress filtering.  Of course, allowing submits at all on port 25 is the
root of the problem, but we'll be careful to not fix the real issue and
simply move mail relay to it's

Re: regarding ssl certificates

2019-03-14 Thread John Tulp via dovecot 


On Thu, 2019-03-14 at 15:08 +0100, Stephan von Krawczynski via dovecot
wrote:
> On Thu, 14 Mar 2019 09:51:14 -0400
> Phil Turmel via dovecot  wrote:
> 
> > On 3/14/19 7:40 AM, Stephan von Krawczynski via dovecot wrote:
> > 
> > > Sorry I have to write this, but this is again pointing people in a fake
> > > security direction.  
> > 
> > You should be sorry, because you are wrong.
> > 
> > > The only valid authority for a certificate is the party using it. Any 
> > > third
> > > party with unknown participants cannot be a "Certificate Authority" in its
> > > true sense. This is why you should see "Let's Encrypt" simply as a cheap
> > > way to fake security. It is a US entity, which means it _must_ hand out 
> > > all
> > > necessary keys to fake certificates to the US authorities _by law_.  
> > 
> > Certificate authorities, including Let's Encrypt, operate on Certificate 
> > Signing Requests, not Private Keys.  Some CAs do offer private key 
> > generation in their services for the user's convenience, but it is not 
> > recommended (obviously) and in no way required.  Getting a CA to sign a 
> > CSR in no way exposes keys to that CA, and therefore not to any government.
> > 
> > While there are weakness in the CA trust system, they aren't anything 
> > related to replacing a snakeoil cert with one from Let's Encrypt.
> > 
> > [rest of ignorant rant trimmed]
> 
> Some facts for you, as obviously you have not understood what a CA is worth
> that is compromised by either hackers or "authorities".
> If you want to know more, read articles about closing of CA DigiNotar, like:
> https://en.wikipedia.org/wiki/DigiNotar
> 
> Then read US export laws concerning security devices.
> Then judge your US-issued certs...
>  
> > Phil
> 
I concur Stephan; I apologize to others if I seem ignorant.

Just an FYI, a founder of Let's Encrypt, and host of it's website is
Akamai, which also hosts nsa.gov, cia.gov, etc.  Akami principal
founders were a US guy and a US/Israeli spy guy.

I once did a traceroute on the mailserver that sent me an email (from a
bank); the route went over to Europe, to Virginia, back to Europe, then
back to me (in the US).  It made me laugh it was so obvious.  The bank's
service provider that provided the email service ?  Akamai.

Any time you're using the "internet", well, let's just say that many
very intelligent people are quite naive when it comes to internet
security.

Encryption is just really not that much of a barrier any more.

Developers are always told "don't roll your own encryption".  Well, to
even set up encryption software (algo selection, etc.), it's something
that is beyond most of us.  I always try to do at least some minimal
research to see "what's what", and with encryption it always boils down
to having very low confidence that what I'm setting up would take more
than a few minutes for a serious "invader" to totally break through.

Encryption is being used to promote a false sense of security.

It could only be more obvious if NSA directly sold certificates
themselves.  I'm sure there would be many very intelligent folks who
would happily purchase them and think they were the greatest thing since
sliced bread.

To close rant, in my humble opinion sure, encrypt if you like, give it
your best effort, but don't assume that anything is "secure".