EmailDiscussions.com  

Go Back   EmailDiscussions.com > Email Service Provider-specific Forums > FastMail Forum
Register FAQ Members List Calendar Search Today's Posts Mark Forums Read
Stay in touch wirelessly

FastMail Forum All posts relating to FastMail.FM should go here: suggestions, comments, requests for help, complaints, technical issues etc.

Reply
 
Thread Tools
Old 15 Sep 2018, 08:30 PM   #1
ppm
Member
 
Join Date: Nov 2003
Location: Hong Kong
Posts: 53
Question Getting STARTTLS Everywhere

In the Fastmail blog, a June 2018 post talks about STARTTLS (https://fastmail.blog/2018/06/27/let...ls-everywhere/).

When testing Fastmail.com on the STARTTLS Everywhere site (https://starttls-everywhere.org/results/?fastmail.com), it reveals that Fastmail.com's mailserver supports STARTTLS, uses great TLS parameters, and presents a valid certificate, which is tops.

However, it also says that the Fastmail.com domain was not added to the Electronic Frontier Foundation's STARTTLS Policy List, which would reportedly help mitigate downgrade attacks, so servers have another point of reference to discover that Fastmail support STARTTLS.

May Fastmail consider doing so?
ppm is offline   Reply With Quote

Old 17 Sep 2018, 12:51 AM   #2
BritTim
The "e" in e-mail
 
Join Date: May 2003
Location: mostly in Thailand
Posts: 2,696
The real solution to the man-in-the-middle attacks that allow downgrading of the security in message transfers is improved security around DNS. As I understand it, there are no known ways to intercept SMTP traffic via downgrade attacks when DNSSEC is properly implemented. The EFF STARTTLS policy list, which may or may not make a difference depending on whether the correspondent mail service references it, is an inelegant hack.
BritTim is offline   Reply With Quote
Old 17 Sep 2018, 12:58 AM   #3
ppm
Member
 
Join Date: Nov 2003
Location: Hong Kong
Posts: 53
Thanks, Tim

Quote:
Originally Posted by BritTim View Post
The real solution to the man-in-the-middle attacks that allow downgrading of the security in message transfers is improved security around DNS. As I understand it, there are no known ways to intercept SMTP traffic via downgrade attacks when DNSSEC is properly implemented. The EFF STARTTLS policy list, which may or may not make a difference depending on whether the correspondent mail service references it, is an inelegant hack.
Thanks for your comment on my query. Looks like this policy list is not so useful, then.
ppm is offline   Reply With Quote
Old 23 Sep 2018, 06:17 PM   #4
ewal
Master of the @
 
Join Date: Apr 2002
Location: London, UK
Posts: 1,321
Just as a side related note on STARTTLS. When I saw the recent email that Fastmail sent out on this I checked my domains (where I point the MX records at Fastmail) to check their status and found they all failed.

Anyway, after checking with Fastmail support, turns out I was using the old Fastmail MX servers (I had created my domains years ago).

Anyway a quick change of the MX records to following sorted things out:

in1-smtp.messagingengine.com
in2-smtp.messagingengine.com

The old servers (still working) are

in1.smtp.messagingengine.com.
in2.smtp.messagingengine.com

So just change the first period to a dash.

Fastmail say they will identify and notify users who are still using the old MX servers.
ewal is offline   Reply With Quote
Reply


Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Forum Jump


All times are GMT +9. The time now is 03:39 PM.

 

Copyright EmailDiscussions.com 1998-2013. All Rights Reserved. Privacy Policy