On 29/05/20 11:27 pm, mj wrote:> Thanks to all who participated in the interesting discussion. > > It seems my initial thought might have been best after all, and > discontinuing port 143 might be the safest way proceed.Yes and no. Some of the attack vectors mentioned are not reasonable and it really depends on the client. Thunderbird, for example, used to have settings for plain text, TLS and "TLS if available", but the latter setting has not been available for some time which forces the user to choose either plain text or TLS at setup time now. This means that the user would now have to change the setting in their client for a downgrade attack to work. I can't speak for all MUAs but if they similarly have removed their "TLS if available" option or if the users explicitly don't pick that option (you can ask them not to in your setup instructions) then that type of downgrade attack cannot occur. The other possible downgrade attack which was not mentioned but is equally mitigated by the client is where the MITM intercepts the connection, connects to your server and issues a STARTTLS itself but presents the resulting connection as plain text to the client. This means that enforcing STARTTLS on the server side will not prevent a plain text connection through a MITM from the client. But do keep in mind that if the client is configured properly to only connect via TLS then it will refuse the connection if it is not presented with a STARTTLS option that works. So yes the safest way to go is to just use port 993, but as long as the client is not set to a "TLS if available" option then port 143 is also safe. Also note that the same concerns apply for your submission server (likely postfix) using the submission port (587) and enforcing STARTTLS vs the submissions port (465) which is a direct TLS connection. Peter
> Le 31 mai 2020 ? 06:09, Peter <peter at pajamian.dhs.org> a ?crit : > > On 29/05/20 11:27 pm, mj wrote: >> Thanks to all who participated in the interesting discussion. >> It seems my initial thought might have been best after all, and discontinuing port 143 might be the safest way proceed. > > Yes and no. Some of the attack vectors mentioned are not reasonable and it really depends on the client. Thunderbird, for example, used to have settings for plain text, TLS and "TLS if available", but the latter setting has not been available for some time which forces the user to choose either plain text or TLS at setup time now. This means that the user would now have to change the setting in their client for a downgrade attack to work. I can't speak for all MUAs but if they similarly have removed their "TLS if available" option or if the users explicitly don't pick that option (you can ask them not to in your setup instructions) then that type of downgrade attack cannot occur. > > The other possible downgrade attack which was not mentioned but is equally mitigated by the client is where the MITM intercepts the connection, connects to your server and issues a STARTTLS itself but presents the resulting connection as plain text to the client. This means that enforcing STARTTLS on the server side will not prevent a plain text connection through a MITM from the client. But do keep in mind that if the client is configured properly to only connect via TLS then it will refuse the connection if it is not presented with a STARTTLS option that works. > > So yes the safest way to go is to just use port 993, but as long as the client is not set to a "TLS if available" option then port 143 is also safe.I don?t think you can call an option safe if it relies on the users to properly configure their client. We all know that users are usually bad at following instructions ;-)
On 31/05/20 6:50 pm, Jean-Daniel wrote:>> Yes and no. Some of the attack vectors mentioned are not reasonable and it really depends on the client. Thunderbird, for example, used to have settings for plain text, TLS and "TLS if available", but the latter setting has not been available for some time which forces the user to choose either plain text or TLS at setup time now. This means that the user would now have to change the setting in their client for a downgrade attack to work. I can't speak for all MUAs but if they similarly have removed their "TLS if available" option or if the users explicitly don't pick that option (you can ask them not to in your setup instructions) then that type of downgrade attack cannot occur. >> >> The other possible downgrade attack which was not mentioned but is equally mitigated by the client is where the MITM intercepts the connection, connects to your server and issues a STARTTLS itself but presents the resulting connection as plain text to the client. This means that enforcing STARTTLS on the server side will not prevent a plain text connection through a MITM from the client. But do keep in mind that if the client is configured properly to only connect via TLS then it will refuse the connection if it is not presented with a STARTTLS option that works. >> >> So yes the safest way to go is to just use port 993, but as long as the client is not set to a "TLS if available" option then port 143 is also safe. > > I don?t think you can call an option safe if it relies on the users to properly configure their client. We all know that users are usually bad at following instructions ;-)Fair enough, but this attack vector can only happen if it's on a client that supports a downgrade option (I should hope that most don't nowadays, but someone did mention MacOX Mail earlier) *and* the user selects that option when configuring as opposed to the stricter "TLS only" (or equivalent) option. At that point it still requires a MITM attack to downgrade the connection, and that MITM must not only be able to read the packets but also intercept them and present different data to the user. I can see this type of attack happening in wifi environments and coming from ISPs that want to snoop on people's email, though. As I said (and I stand by it) the safest approach is to just limit to port 993, but port 143 is also safe if properly configured on both the server and client side. Peter
On Sun, 31 May 2020, Jean-Daniel wrote:>> So yes the safest way to go is to just use port 993, but as long as >> the client is not set to a "TLS if available" option then port 143 is >> also safe. > > I don?t think you can call an option safe if it relies on the users to > properly configure their client. We all know that users are usually > bad at following instructions ;-)I think Peter nailed it, but let's put it this way: the server policy is irrelevant to client side policy. *If* the client has been not been configured to disable plaintext password, a malicious party can coax a password out of a client, despite what the server policy is, or even whether the server is available. Only allowing implicit SSL will guarantee insecurely configured clients will fail (and maybe not even that if it autoconfigures), but it doesn't prevent them from being exploited. Joseph Tam <jtam.home at gmail.com>