SMTP Health Campaign

Email is dying, and for a good reason: SMTP is kept insecure all around the world.

Dear postmasters

As of 2021, the large majority of SMTP servers are still not enforcing STARTTLS against either DANE or valid SSL certificate chains. This is a problem, since email messages are supposedly confidential. Opportunistic STARTTLS is defeated with MITM attacks by simply downgrading to plain-text.

And even those outbound MTAs which do enforce STARTTLS, mostly don’t verify the PKIX certificate on the MX end. This can also be defeated, by simply offering an invalide certificate in the middle.

Let us simply enforce inbound / outbound STARTTLS and MX certificate validation, shall we?

Proposed practice

As an email user, you can mention that your email is secured by referring to this page, for example as user@example.net (STARTTLS).

As a postmaster, you can link to this page to make clear to other postmasters they need to enable crypto.

530 5.7.0 Must issue a STARTTLS command first (https://nethence.com/smtp/)

As an MX:

As an outbound MTA:

Public network survey

Resources

THE SAD STATE OF SMTP ENCRYPTION https://blog.filippo.io/the-sad-state-of-smtp-encryption/

A system for ensuring & authenticating STARTTLS encryption between mail servers https://github.com/EFForg/starttls-everywhere

ssl tuning

POSTFIX AND STARTTLS https://pub.nethence.com/mail/postfix-tls

Let’s tune our cipher suites https://pub.nethence.com/security/ciphers

Strong Ciphers (see Other Software section) https://syslink.pl/cipherlist/

Applied Crypto Hardening https://bettercrypto.org/

HOME | COURSES | GUIDES | BENCHMARKS | SMTP HEALTH