Re: [dane] SMTP STARTTLS stripping in the wild

Viktor Dukhovni <> Fri, 14 November 2014 02:27 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 047671A019B for <>; Thu, 13 Nov 2014 18:27:20 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id ZlRJb20Im2xj for <>; Thu, 13 Nov 2014 18:27:17 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id C1C061A017C for <>; Thu, 13 Nov 2014 18:27:17 -0800 (PST)
Received: by (Postfix, from userid 1034) id 741A8284AD6; Fri, 14 Nov 2014 02:27:16 +0000 (UTC)
Date: Fri, 14 Nov 2014 02:27:16 +0000
From: Viktor Dukhovni <>
Message-ID: <>
References: <> <20141114004313.8557.qmail@ary.lan> <> <2CCB417DB294C9CC79C32DC1@96B2F16665FF96BAE59E9B90>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <2CCB417DB294C9CC79C32DC1@96B2F16665FF96BAE59E9B90>
User-Agent: Mutt/1.5.23 (2014-03-12)
Subject: Re: [dane] SMTP STARTTLS stripping in the wild
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS-based Authentication of Named Entities <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 14 Nov 2014 02:27:20 -0000

On Thu, Nov 13, 2014 at 03:57:05PM -1000, Chris Newman wrote:

> > I am far more curious about what happened to Google's outbound
> > TLS mail stats around Oct 14th:
> > 
> >
> > 
> > but this seems likely to remain a mystery.  Perhaps some large peer
> > botched their TLS settings?
> My speculation:
> There's no specification for SMTP relay fallback from STARTTLS to cleartext.

Correct, Sendmail defers the mail, while Postfix falls back to
cleartext (eventually).

> So if a provider turns on fully RFC 3207 client-side STARTTLS for relay

Google is the sender in this case.  The drop in TLS traffic started
on Oct 7th, fell sharply on the 11th and ended on Oct 15th.  Outbound
TLS support at Google is far from new.

> and that
> software doesn't also implement the unspecified fallback, it will stop the flow
> of mail to peers that advertise STARTTLS but implement it incorrectly.

So I think you're saying that Google may have disabled its previous
STARTTLS to cleartext fallback, and after a few days found that a
lot of mail got deferred.  And that point either selectively or
globally re-enabled fallback?

I'd have hoped they would notice a lot sooner, the drop is from
75% to 50% of mail using TLS.  If the missing TLS mail is queued,
that would rapidly lead to enourmous mail backlogs.  It seems far
more likely that some remote peer broke their TLS, or Google tried
some fancy TLS settings, and ran into interoperability issues.  In
either case Google likely then delivered in cleartext.

> Once the queue buildup is noticed, the client-side site has to:
> 1. turn off client-side STARTTLS

Note what happened at Google, since the TLS rate did not go to zero.

> 2. upgrade to a software version implementing the unspecified protocol, if
> available.
> 3. manually configure no-STARTTLS for each endpoint that has a broken STARTTLS
> implementation.
> 4. bounce mail to legitimate recipients with a bogus STARTTLS implementation.

They probably had cleartext fallback all along, and I think deferred
mail at that volume would have been noticed rather quickly.

> Incidentally, I suspect 1 is a common service provider response to this
> situation.

That is rather plausible.