|
FastMail Forum All posts relating to FastMail.FM should go here: suggestions, comments, requests for help, complaints, technical issues etc. |
|
Thread Tools |
15 Sep 2018, 07:30 PM | #1 |
Member
Join Date: Nov 2003
Location: Hong Kong
Posts: 79
|
Getting STARTTLS Everywhere
In the Fastmail blog, a June 2018 post talks about STARTTLS (https://fastmail.blog/2018/06/27/let...ls-everywhere/).
When testing Fastmail.com on the STARTTLS Everywhere site (https://starttls-everywhere.org/results/?fastmail.com), it reveals that Fastmail.com's mailserver supports STARTTLS, uses great TLS parameters, and presents a valid certificate, which is tops. However, it also says that the Fastmail.com domain was not added to the Electronic Frontier Foundation's STARTTLS Policy List, which would reportedly help mitigate downgrade attacks, so servers have another point of reference to discover that Fastmail support STARTTLS. May Fastmail consider doing so? |
16 Sep 2018, 11:51 PM | #2 |
The "e" in e-mail
Join Date: May 2003
Location: mostly in Thailand
Posts: 3,095
|
The real solution to the man-in-the-middle attacks that allow downgrading of the security in message transfers is improved security around DNS. As I understand it, there are no known ways to intercept SMTP traffic via downgrade attacks when DNSSEC is properly implemented. The EFF STARTTLS policy list, which may or may not make a difference depending on whether the correspondent mail service references it, is an inelegant hack.
|
16 Sep 2018, 11:58 PM | #3 | |
Member
Join Date: Nov 2003
Location: Hong Kong
Posts: 79
|
Thanks, Tim
Quote:
|
|
23 Sep 2018, 05:17 PM | #4 |
Master of the @
Join Date: Apr 2002
Location: West Sussex, UK
Posts: 1,334
|
Just as a side related note on STARTTLS. When I saw the recent email that Fastmail sent out on this I checked my domains (where I point the MX records at Fastmail) to check their status and found they all failed.
Anyway, after checking with Fastmail support, turns out I was using the old Fastmail MX servers (I had created my domains years ago). Anyway a quick change of the MX records to following sorted things out: in1-smtp.messagingengine.com in2-smtp.messagingengine.com The old servers (still working) are in1.smtp.messagingengine.com. in2.smtp.messagingengine.com So just change the first period to a dash. Fastmail say they will identify and notify users who are still using the old MX servers. |