Page MenuHomePhabricator

Enable STARTTLS (both inbound and outbound) on lists
Closed, ResolvedPublic

Description

lists should offer STARTTLS encryption on inbound mail and negotiate TLS on outbound mail as well.

Details

Reference
rt5075
Related Gerrit Patches:
operations/puppet : productionAdd simple haveged module; apply on fermium
operations/puppet : productionmailman: enable TLS for lists.wikimedia.org

Related Objects

StatusAssignedTask
OpenNone
Resolvedfaidon
ResolvedDzahn
ResolvedDzahn
ResolvedDzahn
ResolvedDzahn
ResolvedDzahn
ResolvedDzahn
ResolvedDzahn
ResolvedRobH
ResolvedDzahn
ResolvedRobH
ResolvedDzahn
ResolvedDzahn
ResolvedDzahn
Resolved JohnLewis
ResolvedDzahn
ResolvedDzahn
ResolvedDzahn
DuplicateDzahn
ResolvedDzahn
ResolvedDzahn
DuplicateDzahn
ResolvedDzahn
ResolvedDzahn
ResolvedDzahn
InvalidDzahn
ResolvedDzahn
ResolvedDzahn
DeclinedDzahn
ResolvedDzahn
ResolvedDzahn
ResolvedDzahn
ResolvedDzahn
ResolvedDzahn
Resolved JohnLewis
ResolvedDzahn
ResolvedDzahn
ResolvedDzahn
ResolvedDzahn
ResolvedDzahn
Resolvedfaidon

Event Timeline

rtimport raised the priority of this task from to Medium.Dec 18 2014, 1:37 AM
rtimport set Reference to rt5075.
Dzahn created this task.May 2 2013, 8:12 PM

AdminCc thehelpfulone added by thehelpfulone

AdminCc jeremyb added by jeremyb

Cc mark added by jeremyb

Add mark to CC. Should also test mchenry, etc. too.

Status changed from 'new' to 'open' by RT_System

Subject changed from 'Fwd: Potential security issue with mail from lists.wikimedia.org' to 'enable STARTTLS (both inbound and outbound) on sodium MTA' by jeremyb

mark added a comment.May 6 2013, 10:18 AM

Issue taken by mark

mark added a comment.May 6 2013, 10:19 AM

The problem in the past was that this would use up (starve) all random entropy
because of the many deliveries, and then block. But with newer hardware and
potentially hw RNGs, the situation may be better now. We can test it again.
--
Mark Bergsma <mark at wikimedia>
Lead Operations Architect
Wikimedia Foundation

wooster wrote:

Hi Maggie,
I will get the discussion going on this with the team. It is a 'nice to
have' feature to enable (IMHO) and would need some work on our side.
Thanks,
CT
On Fri, May 10, 2013 at 10:19 AM, Wikimedia Answers
<answers at wikimedia>

Hello, CT. :)
I'm told that I should send this to you - can you help this gentleman or
tell me to whom I should refer him instead?
Maggie

  • Forwarded message ----------

From: Rich Wales <richw at richw>
To: <answers at wikimedia>
Hi. I sent a message about the following issue to *
<postmaster at wikimedia> (Postfix) with ESMTP id A4BE717403E0
for <richw at richw> <richw at richw>; Thu, 2 May 2013 11:53:45 -0700 (PDT)
It also appears that *lists.wikimedia.org* does not offer STARTTLS to
SMTP clients. I tried connecting to it just now, and here is what I saw;
note that the list of capabilities in the EHLO response does not mention
STARTTLS:
220 sodium.wikimedia.org ESMTP Exim 4.71 Thu, 02 May 2013 19:04:00 +0000
ehlo pigeon.richw.org
250-sodium.wikimedia.org Hello whodunit.stanford.edu [68.65.164.12]
250-SIZE 52428800
250-PIPELINING
250 HELP
quit
221 sodium.wikimedia.org closing connection
I realize you can't fully control the security of other hosts which send
mail to, or receive mail from, your server. However, it seems to me that
enabling STARTTLS on *lists.wikimedia.org* (both in its SMTP server and
its SMTP client code) would be a step in the right direction.
Any thoughts on this?
~~
*Rich Wales* (Richwales http://en.wikipedia.org/wiki/User:Richwales) *--
no relation to Jimbo*

This already was in RT via dzahn via postmaster@. (same user reported
it) Merging.

Status changed from 'new' to 'open' by RT_System

Merged into ticket #5075 by jeremyb

Merged into ticket #5075 by jeremyb

<mdennis at wikimedia> wrote:

Thank you both. :)
I'll let the correspondent know that it's being looked at.
Maggie
On Sun, May 12, 2013 at 9:50 AM, Jeremy Baron via RT <
<ops-requests at wikimedia> wrote:

This already was in RT via dzahn via postmaster@. (same user reported
it) Merging.

--
Maggie Dennis
Senior Community Advocate
Wikimedia Foundation, Inc.

ksnider wrote:

Mark / Faidon,
Any chance we could consider this as part of the mail migration?
Thanks.
--Ken.

On Thu, Nov 21, 2013 at 04:45:45AM +0000, Ken Snider via RT wrote:

Any chance we could consider this as part of the mail migration?

Yup, it's already in the TODO.
Note that the actual security benefit of this is very disputable. Noone
checks for certificate signatures and rejects, ever. There is no known
equivalent to browser CAs for mail certificates. At Debian we even do
DANE, noone checks that either :)
I assume this came from EFF's matrix. They know that noone does
validation as well and are discussing ways to fix this. I'm not very
optimistic.
Regards,
Faidon

mark added a comment.Dec 11 2013, 11:03 AM

On Nov 21, 2013, at 5:52 AM, Faidon Liambotis via RT <ops-requests-comment at wikimedia> we had this enabled once upon a time, but the list server kept running out of random entropy. Since it wasn't all that useful and I had no time to deal with it, I just disabled it at the time.
I'm not at all against having this reenabled, just be aware that this can be an issue.
--
Mark Bergsma <mark at wikimedia>
Lead Operations Architect
Wikimedia Foundation

On Wed Dec 11 11:03:30 2013, mark wrote:

On Nov 21, 2013, at 5:52 AM, Faidon Liambotis via RT <ops-requests-
<comment at wikimedia> we had this enabled once upon a time, but the list server kept
running out of random entropy. Since it wasn't all that useful and I
had no time to deal with it, I just disabled it at the time.
I'm not at all against having this reenabled, just be aware that this
can be an issue.

FWIW I think that despite no cert validation we still want to encrypt smtp
traffic (we could audit certificate fingerprints, if anything)
re: entropy if that turns out to be still a problem we can use something like
haveged

On Tue Sep 16 11:22:04 2014, fgiunchedi wrote:

On Wed Dec 11 11:03:30 2013, mark wrote:

On Nov 21, 2013, at 5:52 AM, Faidon Liambotis via RT <ops-requests-
<comment at wikimedia>

re: entropy if that turns out to be still a problem we can use
something like
haveged

mark removed mark as the assignee of this task.Dec 18 2014, 12:15 PM
mark edited projects, added ops-core; removed ops-requests, acl*sre-team.
mark set Security to None.
mark merged a task: Restricted Task.

FWIW: Here are some HW random number generators that may help with the entropy needs.

http://www.araneus.fi/products/alea2/en/
https://www.tindie.com/products/WaywardGeek/infinite-noise/

These are both relatively inexpensive.

Would that help make this deployable?

Cheers,

Joel

Also this one.
http://onerng.info/
Not yet shipping??

Restricted Application added a subscriber: Matanya. · View Herald TranscriptJul 7 2015, 10:15 PM
Dzahn added a comment.Aug 5 2015, 5:48 PM

ticket is a duplicate of T101451

faidon renamed this task from enable STARTTLS (both inbound and outbound) on sodium MTA to Enable STARTTLS (both inbound and outbound) on lists.Sep 16 2015, 11:39 AM
faidon updated the task description. (Show Details)
faidon changed the visibility from "WMF-NDA (Project)" to "Public (No Login Required)".
faidon changed the edit policy from "WMF-NDA (Project)" to "All Users".
faidon removed a subscriber: Gage.
Dzahn added a comment.Sep 18 2015, 5:28 PM

This is now unblocked since mailman has been migrated.

Change 239800 had a related patch set uploaded (by Faidon Liambotis):
mailman: enable TLS for lists.wikimedia.org

https://gerrit.wikimedia.org/r/239800

Change 239800 merged by Faidon Liambotis:
mailman: enable TLS for lists.wikimedia.org

https://gerrit.wikimedia.org/r/239800

faidon closed this task as Resolved.Sep 21 2015, 11:42 AM
faidon claimed this task.
faidon raised the priority of this task from Medium to High.
faidon removed a project: Patch-For-Review.

This should be done now.

Change 231973 abandoned by Ori.livneh:
Add simple haveged module; apply on fermium

Reason:
Not needed.

https://gerrit.wikimedia.org/r/231973