Re: [dane] SMTP STARTTLS stripping in the wild

Paul Wouters <> Fri, 14 November 2014 01:11 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 49AAE1A1ABB for <>; Thu, 13 Nov 2014 17:11:30 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.594
X-Spam-Status: No, score=-2.594 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RP_MATCHES_RCVD=-0.594] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id N2l9sMTqQyyG for <>; Thu, 13 Nov 2014 17:11:21 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 52BE81A1ACF for <>; Thu, 13 Nov 2014 17:11:18 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 17710817C1; Thu, 13 Nov 2014 20:11:17 -0500 (EST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=default; t=1415927477; bh=r9KrJbULz9hDIcsg980tIHKH6spqLtbPmi5IhUyZjUE=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=g47fpg9TclV57G2eL7u0L8c2Hjw4F0xNRX9ZvK04tzigYsBYLCxLC31kj7L2lv3zE qbX/So2QZyUQm0sjuboNeWWQNN3i1nhi4cfgNzl/+ARDSQ8Y1Wjb8L2lcw0Y9xNptO WceG+9Uj3H4BHaHesWhvXv4DojIvGGevRFBw4Sdg=
Received: from localhost (paul@localhost) by (8.14.7/8.14.7/Submit) with ESMTP id sAE1BGES004815; Thu, 13 Nov 2014 20:11:16 -0500
X-Authentication-Warning: paul owned process doing -bs
Date: Thu, 13 Nov 2014 20:11:16 -0500 (EST)
From: Paul Wouters <>
To: John Levine <>
In-Reply-To: <20141114004313.8557.qmail@ary.lan>
Message-ID: <>
References: <20141114004313.8557.qmail@ary.lan>
User-Agent: Alpine 2.10 (LFD 1266 2009-07-14)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8BIT
Subject: Re: [dane] SMTP STARTTLS stripping in the wild
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS-based Authentication of Named Entities <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 14 Nov 2014 01:11:30 -0000

On Thu, 14 Nov 2014, John Levine wrote:

>> 	"In recent months, researchers have reported ISPs in the US and Thailand
>> 	 intercepting their customers' data to strip a security flag—called
>> 	 STARTTLS—from email traffic."
>> Thanks to Viktor, properly configured postfix clients deployed with DANE should
>> detect this and refuse to send the email unencrypted.
> This is an anti-spam measure on port 25 traffic on a few mobile
> networks.

With friends like these,....

It's time for opportunistic encryption to kick in against "helpful"
rewriting of people's packets.

This also fits in with today's human rights presentation at SAAG. This
kind of downgrade attack would be candy for oppressive regimes.

> I expect there aren't a lot of copies of Postfix running
> on mobile devices.  For all those other mobile users, if they're
> configured correctly they're submitting over port 587 or 465, and
> nobody tries to filter that.

You are wrongly assuming all must clients relay via another location.
(yes I know, you say reality, I say morality)