Koozali.org: home of the SME Server
Obsolete Releases => SME Server 9.x => Topic started by: hanscees on March 10, 2014, 10:11:58 PM
-
Hi,
I know this topic has been raised before, but I can't help it after seeing Snowden on data-encryption (dutch)
http://www.nu.nl/tech/3722695/snowden-wil-techbedrijven-data-beter-versleutelen.html
His claim is: data encrpytion does help a lot and should be applied if possible.
I therefore strongly feel that the email server on SME server should speak TLS/SSL by default when sending and receiving email, effectively encrypting the email transport layer.
I know that talking TLS in this way does not protect us from man in the middle attacks, because you have to accept self-signed certificates (or email will become unreliable). But it does protect us from simple smtp sniffing and it does make it harder for the bad guys (NSA).
If all emailservers use TLS by default this will hamper mass-surveilance quite a bit. And as soon as a good way comes along to deal with the man in the middle problem we are ready for it.
I do realize it would be a lot of work since probably qmail won't work that way and no I am not wealthy to buy it. Just security aware.
So again my call to make SME server use TLS by default.
Sincerely, Hans-Cees
-
hanscees
Requests like this are best raised as a New Feature Request (NFR) bug in bugzilla.
That way the developers get to see them.
My only (less than fully understanding the technicalities) comment is, that your suggestion appears to be asking that all mail servers use TLS/SSL by default when sending and receiving email, so therefore it is not only SME server that needs to change.
How do you propose that all mail servers in the world be changed ?
-
Hi Janet,
many email servers (MTA's) on the internet already work this way, thereby enhacing the overal security on the web. Even Microsoft exchange can do this.
My suggestion is simply that SME joins the movement for privacy.
Hans-Cees
hanscees
Requests like this are best raised as a New Feature Request (NFR) bug in bugzilla.
That way the developers get to see them.
My only (less than fully understanding the technicalities) comment is, that your suggestion appears to be asking that all mail servers use TLS/SSL by default when sending and receiving email, so therefore it is not only SME server that needs to change.
How do you propose that all mail servers in the world be changed ?
-
hanscees
Did you raise a bug, what is the bug number ?
-
Hi Janet,
many email servers (MTA's) on the internet already work this way, thereby enhacing the overal security on the web. Even Microsoft exchange can do this.
My suggestion is simply that SME joins the movement for privacy.
Hans-Cees
Raise a bug as a feature request so it can be discussed and changes made where needed.
-
Hanscees & wellsi
Bug created
http://bugs.contribs.org/show_bug.cgi?id=8288
-
By default the SME server advertises TLS for mail reception (qpsmtpd) so half the job is done - we cannot force the sender to send via this channel though. On the sending side (qmail), the SME server does not try to use TLS.
Best guess would be to apply': http://inoa.net/qmail-tls/qmail-1.03-tls-20021228-renato.patch
The certificate is already in place..
-
for those interested, some follow up here: https://forums.contribs.org/index.php/topic,53919.0.html
we have implemented a patch to add tls support.