OS3 | SMTP

SMTP Health Campain

gaster doctor

Dear postmasters

As of January 2020, the large majority of SMTP servers are still not enforcing STARTTLS against either DANE or valid SSL certificate chains, which is a problem, since email messages are supposedly private.

It is not like doing clear-text HTTP for serving read-only public websites. It is worse than that, namely doing private communication over the public network, in clear-text or with un-authenticated encryption (meaning someone in the middle can impersonate the receiver).

Surveys

Mitigation

MX/server setup

Note: you do not necessarily have to go to the painful route of DNSSEC and DANE.

Relay/client setup

Are you from the future?

Resources

TLSA Record Generator https://ssl-tools.net/tlsa-generator

CryptCheck https://tls.imirhil.fr/

A system for ensuring & authenticating STARTTLS encryption between mail servers https://github.com/EFForg/starttls-everywhere


OS3 | SMTP | xhtml/css
Innopolis University