Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
MTA Port 25 Security
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
skiwarz
Tux's lil' helper
Tux's lil' helper


Joined: 23 Feb 2014
Posts: 128

PostPosted: Wed Aug 27, 2014 2:12 am    Post subject: MTA Port 25 Security Reply with quote

I'm setting up my own email server, and I've "discovered" something strange. From what I understand, mail transfer agents (MTAs) communicate with each other only on port 25. Smtp is unsecured, leading me to understand that messages could be plainly read if you captured the data.
I'm aware that ports 587 and 465 are used when transferring messages between the email client and the server. But between MTAs, is there any security?

The only reasonable way I see to secure mail in this case is to encrypt it with pre-shared keys, but that would make things terribly difficult in most emailing situations.
Back to top
View user's profile Send private message
eccerr0r
Watchman
Watchman


Joined: 01 Jul 2004
Posts: 7048
Location: almost Mile High in the USA

PostPosted: Wed Aug 27, 2014 2:35 am    Post subject: Reply with quote

Yeah that's the way it goes. People should be relying on end to end encryption anyway (e.g. GPG) versus encrypted links, especially if that server needs to relay and it would thus need to have all keys to other machines contacted.

One would hope the servers are on 'secure' networks but the NSA will get you anyway... Lots of other forms of communication out there, just don't choose a relaying service.
_________________
Intel Core i7 2700K@ 4.1GHz/HD3000 graphics/8GB DDR3/180GB SSD
What am I supposed watching?
Back to top
View user's profile Send private message
papahuhn
l33t
l33t


Joined: 06 Sep 2004
Posts: 623

PostPosted: Thu Aug 28, 2014 5:50 am    Post subject: Reply with quote

MTAs can use STARTTLS.
_________________
Death by snoo-snoo!
Back to top
View user's profile Send private message
szatox
Veteran
Veteran


Joined: 27 Aug 2013
Posts: 1717

PostPosted: Thu Aug 28, 2014 7:57 pm    Post subject: Reply with quote

oh, I bet MTAs can use TLS.
Still, as long as you don't controll every single point along the line you must assume the line is not secure (even with TLS server itself can see the content of message).
For messages you want to keep private it's pretty much "go gpg or go home"

The bright side is setting up gpg is easy.
The dark side is making the other guy set it (and use it) is not.
Back to top
View user's profile Send private message
skiwarz
Tux's lil' helper
Tux's lil' helper


Joined: 23 Feb 2014
Posts: 128

PostPosted: Fri Aug 29, 2014 2:59 pm    Post subject: Reply with quote

They can use STARTTLS over port 25? Better question - Do any major MTAs (gmail, yahoo, hotmail, etc) actually use STARTTLS for this type of connection? Should I even bother setting up my server to use it for MTA-MTA communication?
Back to top
View user's profile Send private message
papahuhn
l33t
l33t


Joined: 06 Sep 2004
Posts: 623

PostPosted: Fri Aug 29, 2014 6:13 pm    Post subject: Reply with quote

skiwarz wrote:
They can use STARTTLS over port 25? Better question - Do any major MTAs (gmail, yahoo, hotmail, etc) actually use STARTTLS for this type of connection? Should I even bother setting up my server to use it for MTA-MTA communication?


Code:
me@nexus:~ netcat alt2.gmail-smtp-in.l.google.com 25
220 mx.google.com ESMTP d8si1220911pat.120 - gsmtp
EHLO nexus
250-mx.google.com at your service, [1.2.3.4]
250-SIZE 35882577
250-8BITMIME
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-CHUNKING
250 SMTPUTF8

me@nexus:~ netcat mta6.am0.yahoodns.net 25
220 mta1572.mail.ne1.yahoo.com ESMTP ready
EHLO nexus
250-mta1572.mail.ne1.yahoo.com
250-PIPELINING
250-SIZE 41943040
250-8BITMIME
250 STARTTLS


It won't hurt if you allow TLS to be used.
_________________
Death by snoo-snoo!
Back to top
View user's profile Send private message
szatox
Veteran
Veteran


Joined: 27 Aug 2013
Posts: 1717

PostPosted: Fri Aug 29, 2014 6:26 pm    Post subject: Reply with quote

Actually it's pretty hard to make your server forward emails to other servers. They often simply refuse to talk.
In best case you need correct DNS records. In many others you must be on their white list (yeah, pretty dumb spam filter)
TLS between servers is a minor issue and little benefit , since there aer still weak points along the line
Back to top
View user's profile Send private message
skiwarz
Tux's lil' helper
Tux's lil' helper


Joined: 23 Feb 2014
Posts: 128

PostPosted: Fri Aug 29, 2014 7:44 pm    Post subject: Reply with quote

Hmm... Yeah I'm able to send and receive mail from google, microsoft, and yahoo addresses (that's all I've tested with). I guess that's pretty fortunate, since I haven't done much to set it up. Maybe I'll just forget about MTA-MTA security then. Thanks for the help.
Back to top
View user's profile Send private message
Duncan Mac Leod
Apprentice
Apprentice


Joined: 02 May 2004
Posts: 251
Location: Germany

PostPosted: Sat Aug 30, 2014 1:57 pm    Post subject: Reply with quote

We are using DNSSEC and DANE (https://www.tlsa.info/ for testing) as additional security...

http://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions

http://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities
Back to top
View user's profile Send private message
nativemad
Developer
Developer


Joined: 30 Aug 2004
Posts: 901
Location: Switzerland

PostPosted: Sat Aug 30, 2014 4:21 pm    Post subject: Reply with quote

You could also force postfix to only allow tls encrypted traffic...
See http://www.postfix.org/postconf.5.html#smtp_tls_security_level
Cheers
_________________
Power to the people!
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum