Re: [mailop] Gmail red open padlock composing message

2016-04-02 Thread Carl Byington 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On Sat, 2016-04-02 at 11:42 -0500, frnk...@iname.com wrote:
> Anyone aware of email servers that take the approach that CloudFlare
> has, which is not allow the lowest common denominator or cleartext to
> be used if there's a better/more-secure cipher, but still support the
> old stuff (in CloudFlare's case, SHA-1) if that's all it can do?

> https://blog.cloudflare.com/sha-1-deprecation-no-browser-left-behind/

I think that is "server preference" for the cipher ordering.

https://github.com/jvehent/cipherscan

For example, gmail (on incoming mail) supports RC4-MD5 over ssl3, and
they also have the server control the cipher ordering. But please, why
do they prefer RC4-MD5/TLS1.2 over ECDHE-RSA-AES256-GCM-SHA384/TLSv1.2
?? I don't understand that. Google might know that the only clients that
ask for rc4-md5 don't support anything better.

My notes say that Outlook 2011 on Mac OSx needs sslv3/rc4-sha.

Sendmail with a modern openssl:

LOCAL_CONFIG
dnl enable sslv3 on the server side for RC4-SHA
O CipherList=...whatever you want
O ServerSSLOptions=+SSL_OP_NO_SSLv2 +SSL_OP_CIPHER_SERVER_PREFERENCE
O ClientSSLOptions=+SSL_OP_NO_SSLv2 +SSL_OP_NO_SSLv3

We support sslv3 on incoming connections, but not on outgoing
connections.



> I think most would agree it's better to accept receiving email from
> Exchange servers using RC4 than clear text, but that we should be
> aiming for TLSv1.1 or greater.


I agree.

-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.14 (GNU/Linux)

iEYEAREKAAYFAlcAA+gACgkQL6j7milTFsHBvQCfdPhgBJZ5/bXWLrAd88VQOMQQ
SuMAn0xdPr0+9AdMvSpttd48PbK6v6E+
=GRa9
-END PGP SIGNATURE-


___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Gmail red open padlock composing message

2016-04-02 Thread frnkblk 
You can also try: https://sslanalyzer.comodoca.com/
Just append ":25" to the host.

Frank

-Original Message-
From: mailop [mailto:mailop-boun...@mailop.org] On Behalf Of Tim Bray
Sent: Friday, April 01, 2016 3:58 AM
To: Kirk MacDonald ; mailop@mailop.org
Subject: Re: [mailop] Gmail red open padlock composing message

On 31/03/16 17:38, Kirk MacDonald wrote:
> With thanks to Google for pushing the cause, I implemented STARTTLS
> functionality on my org’s MX (as well as outbound SMTP with
> opportunistic STARTTLS).


Firstly - well done for doing it.   Everybody should be enabling TLS.

Did you test the install?

You have TLS, but there are some issues with your setup:

https://ssl-tools.net/mailservers/corp.eastlink.ca

So you need to disable the RC4 cipher.  Everybody suggests it is insecure.

Also you don't support the correct ciphers for Perfect Forward Secrecy.


I'm not sure whether this affects whether google shows the padlock or
not.  Best practice is to get it fixed.

I think ssl-tools.net is the best test for TLS mailservers.  You can
test your mail sending as well.


For webservers, use https://www.ssllabs.com/ssltest/ to test.  There is
also a tool to help make good configs at
https://mozilla.github.io/server-side-tls/ssl-config-generator/

What I've realised over the last year or so is that SSL/TLS isn't
something you can just fiddle with until it works.  If you want it
secure, across all browsers, it needs some work.

https://www.feistyduck.com/books/bulletproof-ssl-and-tls/  is an
excellent book.


Tim

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop


___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Gmail red open padlock composing message

2016-04-02 Thread frnkblk 
Anyone aware of email servers that take the approach that CloudFlare has, which 
is not allow the lowest common denominator or cleartext to be used if there’s a 
better/more-secure cipher, but still support the old stuff (in CloudFlare’s 
case, SHA-1) if that’s all it can do?

https://blog.cloudflare.com/sha-1-deprecation-no-browser-left-behind/

I think most would agree it’s better to accept receiving email from Exchange 
servers using RC4 than clear text, but that we should be aiming for TLSv1.1 or 
greater.

 

Frank

 

From: mailop [mailto:mailop-boun...@mailop.org] On Behalf Of Eric Henson
Sent: Friday, April 01, 2016 12:07 PM
To: mailop@mailop.org
Subject: Re: [mailop] Gmail red open padlock composing message

 

http://blogs.technet.com/b/exchange/archive/2015/07/27/exchange-tls-amp-ssl-best-practices.aspx

 

Exchange 2003 is out of support.

Exchange 2007 support ends 4/11/2017.

Exchange 2010 and later best practice is to disable RC4 and SSLv3. 

 

I’d say it may be best to leave RC4 enabled until 4/11/2017, but my PCI 
scanning vendor disagrees.

 

 

From: mailop [mailto:mailop-boun...@mailop.org] On Behalf Of Franck Martin via 
mailop
Sent: Friday, April 1, 2016 11:27 AM
To: Kirk MacDonald
Cc: mailop@mailop.org  ; Tim Bray
Subject: Re: [mailop] Gmail red open padlock composing message

 

RC4 is a conundrum, it is about the only cypher you can negotiate with old 
MS-Exchange, so if you disable it, then the email will go in clear text. Which 
one is better? Clear text or RC4? Or too bad for old mail servers?

 

PFS or Elliptic ciphers are asymmetric in implementation, so you need to check 
what's negotiated as a sender and as a receiver.

 

Finally it seems some systems do not fall back anymore, if you initiate 
STARTTLS and can't negotiate it, then you can't send email in clear text.

 

And then look at SMTP STS

 

On Fri, Apr 1, 2016 at 6:00 AM, Kirk MacDonald mailto:kirk.macdon...@corp.eastlink.ca> > wrote:

Whoops, I fully intended to audit the available ciphers; clearly I missed doing 
that. Should be OK now.

Tragically, PFS is not (yet) supported on the TLS mechanism I am making use of. 
I hope to be able to change that in the somewhat near future.


-Original Message-
From: Tim Bray [mailto:t...@kooky.org  ]
Sent: Friday, April 01, 2016 5:58 AM
To: Kirk MacDonald mailto:kirk.macdon...@corp.eastlink.ca> >; mailop@mailop.org 
 
Subject: Re: [mailop] Gmail red open padlock composing message

On 31/03/16 17:38, Kirk MacDonald wrote:
> With thanks to Google for pushing the cause, I implemented STARTTLS
> functionality on my org’s MX (as well as outbound SMTP with
> opportunistic STARTTLS).


Firstly - well done for doing it.   Everybody should be enabling TLS.

Did you test the install?

You have TLS, but there are some issues with your setup:

https://ssl-tools.net/mailservers/corp.eastlink.ca

So you need to disable the RC4 cipher.  Everybody suggests it is insecure.

Also you don't support the correct ciphers for Perfect Forward Secrecy.


I'm not sure whether this affects whether google shows the padlock or
not.  Best practice is to get it fixed.

I think ssl-tools.net   is the best test for TLS 
mailservers.  You can
test your mail sending as well.


For webservers, use https://www.ssllabs.com/ssltest/ to test.  There is
also a tool to help make good configs at
https://mozilla.github.io/server-side-tls/ssl-config-generator/

What I've realised over the last year or so is that SSL/TLS isn't
something you can just fiddle with until it works.  If you want it
secure, across all browsers, it needs some work.

https://www.feistyduck.com/books/bulletproof-ssl-and-tls/  is an
excellent book.


Tim
___
mailop mailing list
mailop@mailop.org  
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

 

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop