STARTTLS Everywhere

Similar to Let's Encrypt, the project providing free SSL certificates for web servers along with tools to auto-renew them, STARTTLS Everywhere is trying to build some tools to make it easier to configure your mail server to encrypt mail in transit, and do so with properly signed certificates.

What I only just realized is that it's pretty easy to use Let's Encrypt certs as SMTP TLS certs, if you have already been using self-signed certs: you just need to add your MX to the list of domains in the cert and install that cert into Postfix:

smtpd_tls_cert_file = /etc/letsencrypt/live/
smtpd_tls_key_file = /etc/letsencrypt/live/
smtp_tls_cert_file = $smtpd_tls_cert_file
smtp_tls_key_file = $smtpd_tls_key_file

They have a page that tests your server, but it's terrible, don't bother. If it detects a single problem it just says "Nope!" without telling you what the problem is. A better tester is at which will actually tell you what it thinks went wrong.

Wow, Everything's So Messed Up. How Is STARTTLS Everywhere Going to Help?

We have three primary goals for STARTTLS Everywhere:

Improve STARTTLS adoption.
We want to make it easy to deploy STARTTLS with valid certificates on mailservers. We're developing Certbot plugins for popular MTA software, starting with Postfix, to make this a reality. [...]

Prevent STARTTLS downgrade attacks.
In order to detect downgrade attacks, we're hosting a policy list of mailservers that we know support STARTTLS. This list acts essentially as a preload list of MTA-STS security policies. [...]

Lower the barriers to entry for running a secure mailserver.
Email was designed as a federated and decentralized communication protocol. Since then, the ecosystem has centralized dramatically, and it has become exponentially more difficult to run your own mailserver. The complexity of running an email service is compounded by the anti-spam arms race that small mail operators are thrust into. At the very least, we'd like to lower the barriers to entry for running a functional, secure mailserver.

Yeah, see, that last part is the kicker. Only crazy people like me run their own mail server, because Google has managed to almost completely de-federate the world's email infrastructure. "Google has most of my email because it has all of yours".

Why would anyone run their own mail server?

"As an act of defiance against the Google hegemony" is probably not a selling point that resonates with very many people.

Nor is, "I really enjoy reading my logs and seeing Error 421: To protect our users from spam, mail sent from your IP address has been temporarily rate limited."

So, you know, maybe some day everyone who still runs their own email server will have certificates installed, and maybe enough of those certificates will be signed by a CA that validating the cert before exchanging mail might be a practical thing to do. But it's more likely that by then, email will have been killed as a concept. All it would take would be for Google to decide, "Fuck it, we're just not going to federate with anyone any more."

You know, like they did with GChat, single-handedly killing Jabber / XMPP.

They don't quite have the market share on the email side to get away with that right now, but maybe they will someday. But even today, they could probably get away with saying "We're no longer accepting SMTP connections, period": they'd just have to bully Outlook, Yahoo and iCloud into peering in some new way that locks everyone else out. They'd do this under the guise of "solving spam", which it wouldn't.

In summary, everything is terrible.

Previously, previously, previously, previously, previously, previously.

Tags: , , , , ,

"The pigs do not give me any attention at all, and they start to passionately mate next to the sewer."

Filip Jandourek: At Buriangy Beach:

"It came to me as a scene from the apocalyptic film when I was in the suburbs of Dhaka called Ashulia earlier this year, one of the most polluted industrial sites in Bangladesh, and I stepped out of a local bus without bumpers and blinkers made of different pieces of metal the local wizards welded to the chassis of a retired truck, haunted by a long way to shooting at the shore of Buriganga, and in Ashulia it is a black sink with floating plastic bottles, where sewerage flows out of the city as well as hectoliters of solvents and other chemicals from nearby factories. one of the many landfills when a breathtaking view of the screaming of the wild pigs that grazed in the garbage from the city showed up, good pigs, everything was spashed, but there was nothing else in Bangladesh, the hairy, sharp ridges emerging from the thick sticky smog, the stinks scatter the smell they learn a mixture of garbage and prove they are truly omnivores. It is hard to say if they smell more pigs, an endless garbage dump or an upper sewer. Hamsters with the sticks and the necessary cigarette on their lips to indulge in anything other than promised mud, filled with plastic bottles, rotting remnants of tanneries and carpets. Kulisu consists of factory chimneys, earth heaps and straw. Animals and people live close to each other. I lit a cigarette but the smell does not need it. The pigs do not give me any attention at all, and they start to passionately mate next to the sewer. I began to take pictures and realized that it was an image that to a great extent accurately describes this polluted and overcrowded land."

Previously, previously, previously, previously, previously, previously, previously, previously, previously, previously, previously, previously, previously, previously, previously.

Tags: , , ,

  • Previously