undefined | Better HN

0 pointsUnrealIncident7y ago0 comments

I assume the problem is that most domains don't have DNSSEC. So if you can MITM the SMTP stream you can MITM the DNS request.

0 comments

cm21877y ago

Agree and I am not saying it’s good. Just saying that you pulled the MX domain you are connecting to from an unsecure DNS entry so if DNS is mitm-ed, the attacker might as well make you submit the email to its own server then deliver it to the recipient.

[edit] actually looking at the RFC it relies on a TXT record before the https policy is even fetched.

vbezhenar7y ago

You're requesting https://<domain>/.well-known/mta-sts.txt. If you've got that info, then A dns record was correct and you must use STARTTLS on MX record. Even if attacker replaced MX record, he can't MITM TLS session, so connection is safe. I think that it's pretty secure setup. But yes, so much hoops instead of deploying dnssec everywhere, it's a shame. DNS is hierarchical and it's very natural to use cryptography there.

flashmob7y ago

Perhaps fixing STARTTLS is one of those problems where the solution adds even more problems (and moving parts).

BTW, what ever happened to SMTP on a dedicated TLS port (465)? Why did it get deprecated?

2 more replies

cm21877y ago

But if you can mitm the DNS query you can suppress the MTA DNS record and/or point the MX to your own servers.

j / k navigate · click thread line to collapse

0 comments

cm21877y ago

[edit] actually looking at the RFC it relies on a TXT record before the https policy is even fetched.

vbezhenar7y ago

flashmob7y ago

Perhaps fixing STARTTLS is one of those problems where the solution adds even more problems (and moving parts).

BTW, what ever happened to SMTP on a dedicated TLS port (465)? Why did it get deprecated?

2 more replies

cm21877y ago

But if you can mitm the DNS query you can suppress the MTA DNS record and/or point the MX to your own servers.

j / k navigate · click thread line to collapse