EmailDiscussions.com  

Go Back   EmailDiscussions.com > Email Service Provider-specific Forums > FastMail Forum
Register FAQ Members List Calendar Search Today's Posts Mark Forums Read
Stay in touch wirelessly

FastMail Forum All posts relating to FastMail.FM should go here: suggestions, comments, requests for help, complaints, technical issues etc.

View Poll Results: Should fast mail better secure incoming email?
I am not sure or I donít know enough to say. 7 50.00%
Yes, I donít like people intercepting, modifying or spying on me/my email messages. 5 35.71%
Maybe. Implement test mode for now. Then upgrade to enforcement mode if all goes well. 2 14.29%
No. (Why?) 0 0%
Voters: 14. You may not vote on this poll

Reply
 
Thread Tools
Old 22 Apr 2019, 03:37 AM   #1
elvey
The "e" in e-mail
 
Join Date: Jan 2002
Location: San Francisco
Posts: 2,420
Lightbulb Should fastmail opt into strict transport layer security mode?

Should fastmail opt into strict transport layer security mode? See RFC 8461. MTA-STS (full name SMTP Mail Transfer Agent Strict Transport Security) is a ~10-month-old standard that aims to improve the security of SMTP by enabling domain names to opt into strict transport layer security mode ...

I just opted in my own domains and subdomains and fastmail subdomains. That is,
<munged>.com, <munged.munged>.com, <munged>sent.com, <munged>.mm.st.

It was my popular previous thread regarding whether the logs showed whether content to certain domains was encrypted or not (op cit) and this fastmail blog post that got me energized :
Getting STARTTLS Everywhere
TECHNICAL
27 June 2018 / Helen Horstmann-Allen (fastmail COO)
https://fastmail.blog/2018/06/27/let...ls-everywhere/

This won’t (well, shouldn’t) cause any problems (other than for those trying to spy on email traffic). ( for example: When servers that don’t understand MTA-STS try and send email to fastmail it will still be accepted.)

PS I’m surprised that MTA-STS policy can be defined only on a per recipient domain basis, but not on a per receiving SMTP server name basis, which would require much less setup and maintenance work, but at the cost of reduced policy granularity choice.

PPS I’m guessing there’s no DanE support yet.

Last edited by elvey : 22 Apr 2019 at 03:46 AM.
elvey is offline   Reply With Quote

Old 24 Apr 2019, 01:39 PM   #2
elvey
The "e" in e-mail
 
Join Date: Jan 2002
Location: San Francisco
Posts: 2,420
More votes, please!
elvey is offline   Reply With Quote
Old 30 Apr 2019, 12:04 PM   #3
malcarada
Senior Member
 
Join Date: Feb 2008
Location: European Union
Posts: 180
I would not worry too much about it, since Fastmail is an Australian company, their government could ask one of FM employees to introduce a backdoor before MTA-STS takes place or make it buggy, and if that is not possible they can ask the employee to write a piece of code to make it possible or give him a USB thumbdrive with malware to run it on the server.

If you are so worried about privacy it is best to pick a company not in Australia, somewhere employees can not be forced to act in secret behind the management back to introduce a backdoor, which is the current power Australian law enforcement has. This is unheard of even in the USA or UK and those countries are not exactly the most privacy friendly in the World, which tells you what a bad idea is to pick an Australian company for privacy.

And before you say that you are not likely to attract law enforcement attention, let me remind you that backdoors can be exploited by anybody, not just law enforcement.

Last edited by malcarada : 1 May 2019 at 01:26 AM.
malcarada is offline   Reply With Quote
Old 2 May 2019, 11:09 AM   #4
elvey
The "e" in e-mail
 
Join Date: Jan 2002
Location: San Francisco
Posts: 2,420
Really? I recall Fastmail has a blog post that, as i recall, doesn’t square with what you’re claiming. As I recall, because the server hosting is not in Australia but the company is, and fastmail is not more accommodating of legal demands then it has to be, privacy is unusually good (but by no means lavabit-good). Have you seen that post or posts?

Also I think you’re mistaken at least one sense because thee case of lavabit shows that in the US companies can receive enforceable secret orders to compromise email privacy.

Do you have any sources to support your claim?

Last edited by elvey : 2 May 2019 at 03:49 PM.
elvey is offline   Reply With Quote
Old 3 May 2019, 08:11 AM   #5
snappy
Junior Member
 
Join Date: Nov 2014
Posts: 5
Even if the Australian government can compel Fastmail to install a backdoor to exfiltrate secured SMTP traffic, they probably wouldn't go through that length. But at the same time you shouldn't dismiss the "worst case scenario," because at some point in history mass surveillance on the Internet was considered hysteria/conspiracy theory territory which was unequivocally proved wrong.


In any case, MTA-STS is an improvement over the current posture of SMTP TLS interconnect by adding a stronger element of trust/authentication. It mitigates the threat of bad actors and MITM attacks for fairly negligible overhead/cost. There's probably never really been an attack in the wild of a rogue SMTP server masquerading as a legitimate entity, but it's just another way to keep servers/systems honest.

To me, it's a no brainer, implement it. Probably not that important to expedite though.
snappy is offline   Reply With Quote
Old 3 May 2019, 11:03 AM   #6
n5bb
Intergalactic Postmaster
 
Join Date: May 2004
Location: Irving, Texas
Posts: 8,524
Was this thread inspired by this news about Gmail becoming the first major email provider to add MTA-STS support?
https://betanews.com/2019/04/12/gmai...tls-reporting/
https://www.zdnet.com/article/gmail-...tls-reporting/

Bill
n5bb is offline   Reply With Quote
Old 5 May 2019, 11:45 PM   #7
malcarada
Senior Member
 
Join Date: Feb 2008
Location: European Union
Posts: 180
Quote:
Originally Posted by elvey View Post
Really? I recall Fastmail has a blog post that, as i recall, doesn’t square with what you’re claiming. As I recall, because the server hosting is not in Australia but the company is, and fastmail is not more accommodating of legal demands then it has to be, privacy is unusually good (but by no means lavabit-good). Have you seen that post or posts?

Also I think you’re mistaken at least one sense because thee case of lavabit shows that in the US companies can receive enforceable secret orders to compromise email privacy.

Do you have any sources to support your claim?
Yes really, if you have a company in Australia you must comply with Australian law, my source is common sense.

I think you are mistaken too comparing the lavabit case with the Australian law that can force employees to plant backdoors in the infrastructure and the law in the US where the CEO gets a gagging order and then he decides if he wants to comply with it or not, if Lavabit had been in Australia the CEO would have never known about any backdoor, law enforcement could have asked one of his employees to plant it and demand he doesnīt say anything to his boss.

I stand by my comment, the Australian law that can force employees to act behind the back of their bosses is unheard of in the US or UK. Not sure if China or Iran have any equivalent, but other surveillance states like UK, they do not have that kind of power.

Last edited by malcarada : 5 May 2019 at 11:51 PM.
malcarada is offline   Reply With Quote
Old 6 May 2019, 05:11 AM   #8
elvey
The "e" in e-mail
 
Join Date: Jan 2002
Location: San Francisco
Posts: 2,420
Quote:
Originally Posted by n5bb View Post
Was this thread inspired by this news about Gmail becoming the first major email provider to add MTA-STS support?
https://betanews.com/2019/04/12/gmai...tls-reporting/
https://www.zdnet.com/article/gmail-...tls-reporting/

Bill
Coincidence. I found out about it through the IETF; I hadn't seen any news coverage about it. I just corrected a betanews commenter ignorant of https://www.wired.co.uk/article/goog...emails-privacy



I'm not entirely convinced, @malcarada; I think we're both partly right; good discussion.

Last edited by elvey : 6 May 2019 at 05:23 AM. Reason: mention gmail not reading emails anymore.
elvey is offline   Reply With Quote
Reply


Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Forum Jump


All times are GMT +9. The time now is 02:34 AM.

 

Copyright EmailDiscussions.com 1998-2013. All Rights Reserved. Privacy Policy