Re: TLS-certificates and interoperability-issues sendmail / Exchange / postfix ..

From: Mark Crispin (MRC_at_CAC.Washington.EDU)
Date: 04/03/05

Date: Sat, 2 Apr 2005 21:10:14 -0800

On Sun, 3 Apr 2005, Per Hedeland wrote:
> I'm afraid you're still missing my point - I'm not talking about what
> the software does or can do, but about what is actually done "out
> there".

Pine is an example of SMTP-TLS software that is "out there". Our
statistics indicate that there are a rather large number of users. The
c-client library, used by Pine, is also used by other programs (e.g.
Mahogany) so they have the same capabilities.

Although this is not enough data to claim that "all SMTP-TLS capable MUAs
validate certificates", it is enough to debunk the claim that "SMTP-TLS
capable MUAs do not validate certificates."

> But only if the SMTP servers have certificates signed by "official" CAs,
> of course. How common do you think that is, in terms of percentage of
> MTAs offering STARTTLS?

All of the MTAs (more accurately, MSAs) that offer STARTTLS that I access
have real certificates.

> Well, you're obviously talking about the procedures at UW here - so we
> can conclude that UW is one place where certificate validation is taken
> seriously. That still doesn't say anything about how common it is in
> general.

We talk a lot with our peer institutions. Many of them are doing the same
thing that we are. We have serious problems both with spam and with RBLs
listing us from time to time because student PC got a spam-engine worm.
Consequently, we and our peer institutions are rapidly closing all means
by which a user on our networks can transmit email without authentication.

Let's put it this way; I doubt very much that we or our peers will end up
with anything less than mandatory authentication and mandatory certificate

The whole reason why certificate validation is needed is to protect the
session from man-in-the-middle and other attacks. There is no point to
requiring authentication if it is trivial for bad guys to steal

> I don't have any concrete evidence to support my belief - it's mostly
> based on implicit information gleaned from newsgroup postings and
> observations of actual mail transport.

As poor quality as the data in my testimony may be, your data appears to
be of worse quality.

-- Mark --
Science does not emerge from voting, party politics, or public debate.
Si vis pacem, para bellum.