lists should offer STARTTLS encryption on inbound mail and negotiate TLS on outbound mail as well.
Description
Details
- Reference
- rt5075
Event Timeline
Subject changed from 'Fwd: Potential security issue with mail from lists.wikimedia.org' to 'enable STARTTLS (both inbound and outbound) on sodium MTA' by jeremyb
The problem in the past was that this would use up (starve) all random entropy
because of the many deliveries, and then block. But with newer hardware and
potentially hw RNGs, the situation may be better now. We can test it again.
--
Mark Bergsma <mark at wikimedia>
Lead Operations Architect
Wikimedia Foundation
wooster wrote:
Hi Maggie,
I will get the discussion going on this with the team. It is a 'nice to
have' feature to enable (IMHO) and would need some work on our side.
Thanks,
CT
On Fri, May 10, 2013 at 10:19 AM, Wikimedia Answers
<answers at wikimedia>
Hello, CT. :)
I'm told that I should send this to you - can you help this gentleman or
tell me to whom I should refer him instead?Maggie
- Forwarded message ----------
From: Rich Wales <richw at richw>
To: <answers at wikimedia>Hi. I sent a message about the following issue to *
<postmaster at wikimedia> (Postfix) with ESMTP id A4BE717403E0
for <richw at richw> <richw at richw>; Thu, 2 May 2013 11:53:45 -0700 (PDT)It also appears that *lists.wikimedia.org* does not offer STARTTLS to
SMTP clients. I tried connecting to it just now, and here is what I saw;
note that the list of capabilities in the EHLO response does not mention
STARTTLS:220 sodium.wikimedia.org ESMTP Exim 4.71 Thu, 02 May 2013 19:04:00 +0000
ehlo pigeon.richw.org
250-sodium.wikimedia.org Hello whodunit.stanford.edu [68.65.164.12]
250-SIZE 52428800
250-PIPELINING
250 HELP
quit
221 sodium.wikimedia.org closing connectionI realize you can't fully control the security of other hosts which send
mail to, or receive mail from, your server. However, it seems to me that
enabling STARTTLS on *lists.wikimedia.org* (both in its SMTP server and
its SMTP client code) would be a step in the right direction.Any thoughts on this?
~~
*Rich Wales* (Richwales http://en.wikipedia.org/wiki/User:Richwales) *--
no relation to Jimbo*
<mdennis at wikimedia> wrote:
Thank you both. :)
I'll let the correspondent know that it's being looked at.
Maggie
On Sun, May 12, 2013 at 9:50 AM, Jeremy Baron via RT <
<ops-requests at wikimedia> wrote:
This already was in RT via dzahn via postmaster@. (same user reported
it) Merging.
--
Maggie Dennis
Senior Community Advocate
Wikimedia Foundation, Inc.
ksnider wrote:
Mark / Faidon,
Any chance we could consider this as part of the mail migration?
Thanks.
--Ken.
On Thu, Nov 21, 2013 at 04:45:45AM +0000, Ken Snider via RT wrote:
Any chance we could consider this as part of the mail migration?
Yup, it's already in the TODO.
Note that the actual security benefit of this is very disputable. Noone
checks for certificate signatures and rejects, ever. There is no known
equivalent to browser CAs for mail certificates. At Debian we even do
DANE, noone checks that either :)
I assume this came from EFF's matrix. They know that noone does
validation as well and are discussing ways to fix this. I'm not very
optimistic.
Regards,
Faidon
On Nov 21, 2013, at 5:52 AM, Faidon Liambotis via RT <ops-requests-comment at wikimedia> we had this enabled once upon a time, but the list server kept running out of random entropy. Since it wasn't all that useful and I had no time to deal with it, I just disabled it at the time.
I'm not at all against having this reenabled, just be aware that this can be an issue.
--
Mark Bergsma <mark at wikimedia>
Lead Operations Architect
Wikimedia Foundation
On Wed Dec 11 11:03:30 2013, mark wrote:
On Nov 21, 2013, at 5:52 AM, Faidon Liambotis via RT <ops-requests-
<comment at wikimedia> we had this enabled once upon a time, but the list server kept
running out of random entropy. Since it wasn't all that useful and I
had no time to deal with it, I just disabled it at the time.I'm not at all against having this reenabled, just be aware that this
can be an issue.
FWIW I think that despite no cert validation we still want to encrypt smtp
traffic (we could audit certificate fingerprints, if anything)
re: entropy if that turns out to be still a problem we can use something like
haveged
On Tue Sep 16 11:22:04 2014, fgiunchedi wrote:
On Wed Dec 11 11:03:30 2013, mark wrote:
On Nov 21, 2013, at 5:52 AM, Faidon Liambotis via RT <ops-requests-
<comment at wikimedia>re: entropy if that turns out to be still a problem we can use
something like
haveged
FWIW: Here are some HW random number generators that may help with the entropy needs.
http://www.araneus.fi/products/alea2/en/
https://www.tindie.com/products/WaywardGeek/infinite-noise/
These are both relatively inexpensive.
Would that help make this deployable?
Cheers,
Joel
Change 239800 had a related patch set uploaded (by Faidon Liambotis):
mailman: enable TLS for lists.wikimedia.org
Change 239800 merged by Faidon Liambotis:
mailman: enable TLS for lists.wikimedia.org
Change 231973 abandoned by Ori.livneh:
Add simple haveged module; apply on fermium
Reason:
Not needed.