Loading ...
Sorry, an error occurred while loading the content.

Re: Ubuntu Upgrade broke my TLS

Expand Messages
  • Reindl Harald
    ... which is reality in the real life there is MUCH more danger that someone connects to your LAN than somebody is able to do the same at ISP level
    Message 1 of 16 , Dec 12, 2012
    • 0 Attachment
      Am 13.12.2012 07:26, schrieb Stan Hoeppner:
      > On 12/12/2012 6:05 PM, Tony Nelson wrote:
      >
      >> I think it's in my best interest to get TLS operational again.
      >
      > So, you encrypt the transmission from the internal corporate groupware
      > server to the gateway server via a private network that you completely
      > control. But then you relay the same message over the public internet
      > in plain text.
      >
      > There seems to be a flaw in your logic, in your threat assessment. Your
      > stated posture makes it seem you are more worried about malicious packet
      > sniffing inside your perimeter than outside

      which is reality in the real life

      there is MUCH more danger that someone connects to your
      LAN than somebody is able to do the same at ISP level
    • Ned Slider
      ... TLS encrypts the whole connection including the authentication - maybe the OP is more concerned about passwords being sent in plain text than the contents
      Message 2 of 16 , Dec 13, 2012
      • 0 Attachment
        On 13/12/12 06:26, Stan Hoeppner wrote:
        > On 12/12/2012 6:05 PM, Tony Nelson wrote:
        >
        >> I think it's in my best interest to get TLS operational again.
        >
        > So, you encrypt the transmission from the internal corporate groupware
        > server to the gateway server via a private network that you completely
        > control. But then you relay the same message over the public internet
        > in plain text.
        >

        TLS encrypts the whole connection including the authentication - maybe
        the OP is more concerned about passwords being sent in plain text than
        the contents of the actual email.

        > There seems to be a flaw in your logic, in your threat assessment. Your
        > stated posture makes it seem you are more worried about malicious packet
        > sniffing inside your perimeter than outside.
        >
      • Stan Hoeppner
        ... In order to sniff the SMTP traffic from the Exchange server to the Postfix server, someone on the LAN , as you put it, would first need to gain admin
        Message 3 of 16 , Dec 13, 2012
        • 0 Attachment
          On 12/13/2012 1:51 AM, Reindl Harald wrote:
          >
          >
          > Am 13.12.2012 07:26, schrieb Stan Hoeppner:
          >> On 12/12/2012 6:05 PM, Tony Nelson wrote:
          >>
          >>> I think it's in my best interest to get TLS operational again.
          >>
          >> So, you encrypt the transmission from the internal corporate groupware
          >> server to the gateway server via a private network that you completely
          >> control. But then you relay the same message over the public internet
          >> in plain text.
          >>
          >> There seems to be a flaw in your logic, in your threat assessment. Your
          >> stated posture makes it seem you are more worried about malicious packet
          >> sniffing inside your perimeter than outside
          >
          > which is reality in the real life
          >
          > there is MUCH more danger that someone connects to your
          > LAN than somebody is able to do the same at ISP level

          In order to sniff the SMTP traffic from the Exchange server to the
          Postfix server, someone "on the LAN", as you put it, would first need to
          gain admin access to one of the switches or segment routers, then clone
          one of the two ports, then sniff the traffic. Or clone the traffic on
          an ISL, assuming the two servers are not on the same switch. In a well
          managed network with strong authentication on network devices, I find
          this scenario extremely unlikely.

          However, this is a tangential argument. The point of my post is that if
          one isn't doing TLS (opportunistic or full time) between the gateway and
          remote MX hosts, then using TLS between the Exchange sever and gateway
          is irrelevant and unnecessary.

          --
          Stan
        • Stan Hoeppner
          ... Interesting. How many passwords would potentially be exposed in this scenario Ned? -- Stan
          Message 4 of 16 , Dec 13, 2012
          • 0 Attachment
            On 12/13/2012 5:01 AM, Ned Slider wrote:
            > On 13/12/12 06:26, Stan Hoeppner wrote:
            >> On 12/12/2012 6:05 PM, Tony Nelson wrote:
            >>
            >>> I think it's in my best interest to get TLS operational again.
            >>
            >> So, you encrypt the transmission from the internal corporate groupware
            >> server to the gateway server via a private network that you completely
            >> control. But then you relay the same message over the public internet
            >> in plain text.
            >>
            >
            > TLS encrypts the whole connection including the authentication - maybe
            > the OP is more concerned about passwords being sent in plain text than
            > the contents of the actual email.

            Interesting. How many passwords would potentially be exposed in this
            scenario Ned?

            --
            Stan
          • Benny Pedersen
            ... thanks for using opensource that are precompiled :=) with freebsd/gentoo this problem would not exists
            Message 5 of 16 , Dec 13, 2012
            • 0 Attachment
              Tony Nelson skrev den 13-12-2012 02:04:

              > It appears that my upgrade didn't go so well. After running apt-get
              > update/upgrade I ended up upgrading some 250+ packages, including
              > Postfix. I now have 2.9.3-2~12.04.4 as you suggested and TLS has
              > started working again.

              thanks for using opensource that are precompiled :=)

              with freebsd/gentoo this problem would not exists
            • Tony Nelson
              Actually I have TLS working both internally and externally. The only problem I was experiencing that I could adequately describe to the list was internally to
              Message 6 of 16 , Dec 13, 2012
              • 0 Attachment
                Actually I have TLS working both internally and externally. The only problem I was experiencing that I could adequately describe to the list was internally to my exchange servers. It was 100% repeatable. My theory was that if I resolved the internal problem any other similar related problems would be fixed as well.

                Thank you again to everyone who helped me resolve my issue. Everything seems fine today.

                -Tony

                On Dec 13, 2012, at 1:27 AM, "Stan Hoeppner" <stan@...> wrote:

                > On 12/12/2012 6:05 PM, Tony Nelson wrote:
                >
                >> I think it's in my best interest to get TLS operational again.
                >
                > So, you encrypt the transmission from the internal corporate groupware
                > server to the gateway server via a private network that you completely
                > control. But then you relay the same message over the public internet
                > in plain text.
                >
                > There seems to be a flaw in your logic, in your threat assessment. Your
                > stated posture makes it seem you are more worried about malicious packet
                > sniffing inside your perimeter than outside.
                >
                > --
                > Stan
                >

                Since 1982, Starpoint Solutions has been a trusted source of human capital and solutions. We are committed to our clients, employees, environment, community and social concerns. We foster an inclusive culture based on trust, respect, honesty and solid performance. Learn more about Starpoint and our social responsibility at http://www.starpoint.com/social_responsibility

                This email message from Starpoint Solutions LLC is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message. Opinions, conclusions and other information in this message that do not relate to the official business of Starpoint Solutions shall be understood as neither given nor endorsed by it.
              • Scott Kitterman
                ... Thanks for spread FUD about other FOSS projects. If the OP had left his system in the default configuration and installed all available updates, the
                Message 7 of 16 , Dec 13, 2012
                • 0 Attachment
                  On Thursday, December 13, 2012 03:05:12 PM Benny Pedersen wrote:
                  > Tony Nelson skrev den 13-12-2012 02:04:
                  > > It appears that my upgrade didn't go so well. After running apt-get
                  > > update/upgrade I ended up upgrading some 250+ packages, including
                  > > Postfix. I now have 2.9.3-2~12.04.4 as you suggested and TLS has
                  > > started working again.
                  >
                  > thanks for using opensource that are precompiled :=)
                  >
                  > with freebsd/gentoo this problem would not exists

                  Thanks for spread FUD about other FOSS projects. If the OP had left his
                  system in the default configuration and installed all available updates, the
                  problem would not have existed.

                  Being on FreeBSD or Gentoo wouldn't help if the system isn't kept up to date.

                  Scott K
                • Jerry
                  On Thu, 13 Dec 2012 09:40:50 -0500 ... +1 -- Jerry ✌ postfix-user@seibercom.net _____________________________________________________________________ TO
                  Message 8 of 16 , Dec 13, 2012
                  • 0 Attachment
                    On Thu, 13 Dec 2012 09:40:50 -0500
                    Scott Kitterman articulated:

                    > Being on FreeBSD or Gentoo wouldn't help if the system isn't kept up
                    > to date.

                    +1

                    --
                    Jerry ✌
                    postfix-user@...
                    _____________________________________________________________________
                    TO REPORT A PROBLEM see http://www.postfix.org/DEBUG_README.html#mail
                    TO (UN)SUBSCRIBE see http://www.postfix.org/lists.html
                  • Benny Pedersen
                    ... same problem goes with windows :) i miss DS in junc.org thanks to org tld i can not secure dkim :(
                    Message 9 of 16 , Dec 13, 2012
                    • 0 Attachment
                      Scott Kitterman skrev den 13-12-2012 15:40:

                      > Being on FreeBSD or Gentoo wouldn't help if the system isn't kept up
                      > to date.

                      same problem goes with windows :)

                      i miss DS in junc.org thanks to org tld i can not secure dkim :(
                    • Benny Pedersen
                      ... +2, point is the problem is less on the above 2
                      Message 10 of 16 , Dec 13, 2012
                      • 0 Attachment
                        Jerry skrev den 13-12-2012 17:24:

                        >> Being on FreeBSD or Gentoo wouldn't help if the system isn't kept up
                        >> to date.
                        > +1

                        +2, point is the problem is less on the above 2
                      Your message has been successfully submitted and would be delivered to recipients shortly.