Hello everybody, I just got the email about the enforcing of HTTPS for the CentOS Websites which I really appreciate: ?The CentOS Project infra team has decided to implement TLS wherever we can (?)? Does anybody know if and when mail.centos.org will be able to deliver its mails with STARTTLS? There seems to be no support for STARTTLS at all: $: openssl s_client -connect mail.centos.org:25 -starttls smtp (?) didn't found starttls in server response, try anyway...
On 08/19/2015 06:56 AM, Kai Bojens wrote:> Hello everybody, > I just got the email about the enforcing of HTTPS for the CentOS Websites > which I really appreciate: > > ?The CentOS Project infra team has decided to implement TLS wherever we > can (?)? > > Does anybody know if and when mail.centos.org will be able to deliver its > mails with STARTTLS? There seems to be no support for STARTTLS at all: > > $: openssl s_client -connect mail.centos.org:25 -starttls smtp > (?) > didn't found starttls in server response, try anyway...e-mail by its very design is not secure, SMTP creates "Man In The Middle" at every server along the way. Signed messages are the only way to know they haven't been modified in transit between sender and recipient. DKIM does that if you trust it won't be modified on your server before it is applied, but even that doesn't work with mail lists because mail lists do modify the message. I'm not saying they shouldn't implement TLS on the list server, just not sure what the privacy or security benefit really would be.
On 19-08-15 08:30:27, Alice Wonder wrote:> e-mail by its very design is not secure, SMTP creates "Man In The > Middle" at every server along the way.DANE exists and mail servers like postfix support this. My logfiles show me that mail.centos.org delivers straight to me without any servers along the way.> I'm not saying they shouldn't implement TLS on the list server, just > not sure what the privacy or security benefit really would be.Encryption ensures that third parties simply cannot follow their "collect all" strategy.
Fabian Arrotin
2015-Aug-19 19:33 UTC
[CentOS] TLS for all CentOS websites but not for smtp?
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 19/08/15 15:56, Kai Bojens wrote:> Hello everybody, I just got the email about the enforcing of HTTPS > for the CentOS Websites which I really appreciate: > > ?The CentOS Project infra team has decided to implement TLS > wherever we can (?)? > > Does anybody know if and when mail.centos.org will be able to > deliver its mails with STARTTLS? There seems to be no support for > STARTTLS at all: > > $: openssl s_client -connect mail.centos.org:25 -starttls smtp (?) > didn't found starttls in server response, try anyway...Thanks for the comment. As said, we were targeting first the websites, but we can also investigate what would be needed and the possible impacts of implementing that for SMTP traffic. But, as other people said it too, it depends on what you want to secure/encrypt, and gnupg can also be used for that, despite the smtp server[s] included in the chain. My (personal) opinion is "if you want to secure/encrypt", use gpg. Adding TLS on top of smtp for the transport itself can be a good idea. Let me just start a thread with the other guys and see what we can come with. That will not be priority #1 though, as we're also working on other things, like using FAS for central auth for resources like cbs.centos.org and git.centos.org. Kind Regards, - -- Fabian Arrotin The CentOS Project | http://www.centos.org gpg key: 56BEC54E | twitter: @arrfab -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iEYEARECAAYFAlXU2icACgkQnVkHo1a+xU4jMwCfW2gfE8o6ALEqzcTXSBq5+jx0 P4YAn2vl/qlxOieW6oYRO2kXZijrsZmL =Tgek -----END PGP SIGNATURE-----
On 19-08-15 21:33:59, Fabian Arrotin wrote:> My (personal) opinion is "if you want to secure/encrypt", use gpg.That's right if you want to hide the content. But this leaves the metadata of the communication clear to see for third parties. Using transport encryption is the only way to at least make this very hard to collect. JFTR: I am not concernded about this mailing list and the traffic. It's just my opinion that we nowadays should use encryption and authentification as much as possible and make this the default.
Valeri Galtsev
2015-Aug-20 16:37 UTC
[CentOS] TLS for all CentOS websites but not for smtp?
On Wed, August 19, 2015 2:33 pm, Fabian Arrotin wrote:> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 19/08/15 15:56, Kai Bojens wrote: >> Hello everybody, I just got the email about the enforcing of HTTPS >> for the CentOS Websites which I really appreciate: >> >> ?The CentOS Project infra team has decided to implement TLS >> wherever we can ()?>> >> Does anybody know if and when mail.centos.org will be able to >> deliver its mails with STARTTLS? There seems to be no support for >> STARTTLS at all: >> >> $: openssl s_client -connect mail.centos.org:25 -starttls smtp ()>> didn't found starttls in server response, try anyway... > > Thanks for the comment. > > As said, we were targeting first the websites, but we can also > investigate what would be needed and the possible impacts of > implementing that for SMTP traffic. > But, as other people said it too, it depends on what you want to > secure/encrypt, and gnupg can also be used for that, despite the smtp > server[s] included in the chain. > > My (personal) opinion is "if you want to secure/encrypt", use gpg. > Adding TLS on top of smtp for the transport itself can be a good idea. > Let me just start a thread with the other guys and see what we can > come with.I 100% agree with gpg. TLS/SSL I would only consider necessary if you have to authenticate with your SMTP server for having it send your message for you. For everything else as far as SMTP is concerned TLS/SSL does not add anything thus is not necessary IMHO. Just my $0.02. Valeri> That will not be priority #1 though, as we're also working on other > things, like using FAS for central auth for resources like > cbs.centos.org and git.centos.org. > > Kind Regards, > > - -- > Fabian Arrotin > The CentOS Project | http://www.centos.org > gpg key: 56BEC54E | twitter: @arrfab > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v2.0.22 (GNU/Linux) > > iEYEARECAAYFAlXU2icACgkQnVkHo1a+xU4jMwCfW2gfE8o6ALEqzcTXSBq5+jx0 > P4YAn2vl/qlxOieW6oYRO2kXZijrsZmL > =Tgek > -----END PGP SIGNATURE----- > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos >++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++
Reasonably Related Threads
- TLS for all CentOS websites but not for smtp?
- TLS for all CentOS websites but not for smtp?
- TLS for all CentOS websites but not for smtp?
- TLS for all CentOS websites but not for smtp?
- Getting Domainkeys, dkim, and SMTP-AUTH/TLS to play nicely together in sendmail