Loading ...
Sorry, an error occurred while loading the content.

Re: Ubuntu Upgrade broke my TLS

Expand Messages
  • Ned Slider
    ... TLS encrypts the whole connection including the authentication - maybe the OP is more concerned about passwords being sent in plain text than the contents
    Message 1 of 16 , Dec 13, 2012
    • 0 Attachment
      On 13/12/12 06:26, Stan Hoeppner wrote:
      > On 12/12/2012 6:05 PM, Tony Nelson wrote:
      >
      >> I think it's in my best interest to get TLS operational again.
      >
      > So, you encrypt the transmission from the internal corporate groupware
      > server to the gateway server via a private network that you completely
      > control. But then you relay the same message over the public internet
      > in plain text.
      >

      TLS encrypts the whole connection including the authentication - maybe
      the OP is more concerned about passwords being sent in plain text than
      the contents of the actual email.

      > There seems to be a flaw in your logic, in your threat assessment. Your
      > stated posture makes it seem you are more worried about malicious packet
      > sniffing inside your perimeter than outside.
      >
    • Stan Hoeppner
      ... In order to sniff the SMTP traffic from the Exchange server to the Postfix server, someone on the LAN , as you put it, would first need to gain admin
      Message 2 of 16 , Dec 13, 2012
      • 0 Attachment
        On 12/13/2012 1:51 AM, Reindl Harald wrote:
        >
        >
        > Am 13.12.2012 07:26, schrieb Stan Hoeppner:
        >> On 12/12/2012 6:05 PM, Tony Nelson wrote:
        >>
        >>> I think it's in my best interest to get TLS operational again.
        >>
        >> So, you encrypt the transmission from the internal corporate groupware
        >> server to the gateway server via a private network that you completely
        >> control. But then you relay the same message over the public internet
        >> in plain text.
        >>
        >> There seems to be a flaw in your logic, in your threat assessment. Your
        >> stated posture makes it seem you are more worried about malicious packet
        >> sniffing inside your perimeter than outside
        >
        > which is reality in the real life
        >
        > there is MUCH more danger that someone connects to your
        > LAN than somebody is able to do the same at ISP level

        In order to sniff the SMTP traffic from the Exchange server to the
        Postfix server, someone "on the LAN", as you put it, would first need to
        gain admin access to one of the switches or segment routers, then clone
        one of the two ports, then sniff the traffic. Or clone the traffic on
        an ISL, assuming the two servers are not on the same switch. In a well
        managed network with strong authentication on network devices, I find
        this scenario extremely unlikely.

        However, this is a tangential argument. The point of my post is that if
        one isn't doing TLS (opportunistic or full time) between the gateway and
        remote MX hosts, then using TLS between the Exchange sever and gateway
        is irrelevant and unnecessary.

        --
        Stan
      • Stan Hoeppner
        ... Interesting. How many passwords would potentially be exposed in this scenario Ned? -- Stan
        Message 3 of 16 , Dec 13, 2012
        • 0 Attachment
          On 12/13/2012 5:01 AM, Ned Slider wrote:
          > On 13/12/12 06:26, Stan Hoeppner wrote:
          >> On 12/12/2012 6:05 PM, Tony Nelson wrote:
          >>
          >>> I think it's in my best interest to get TLS operational again.
          >>
          >> So, you encrypt the transmission from the internal corporate groupware
          >> server to the gateway server via a private network that you completely
          >> control. But then you relay the same message over the public internet
          >> in plain text.
          >>
          >
          > TLS encrypts the whole connection including the authentication - maybe
          > the OP is more concerned about passwords being sent in plain text than
          > the contents of the actual email.

          Interesting. How many passwords would potentially be exposed in this
          scenario Ned?

          --
          Stan
        • Benny Pedersen
          ... thanks for using opensource that are precompiled :=) with freebsd/gentoo this problem would not exists
          Message 4 of 16 , Dec 13, 2012
          • 0 Attachment
            Tony Nelson skrev den 13-12-2012 02:04:

            > It appears that my upgrade didn't go so well. After running apt-get
            > update/upgrade I ended up upgrading some 250+ packages, including
            > Postfix. I now have 2.9.3-2~12.04.4 as you suggested and TLS has
            > started working again.

            thanks for using opensource that are precompiled :=)

            with freebsd/gentoo this problem would not exists
          • Tony Nelson
            Actually I have TLS working both internally and externally. The only problem I was experiencing that I could adequately describe to the list was internally to
            Message 5 of 16 , Dec 13, 2012
            • 0 Attachment
              Actually I have TLS working both internally and externally. The only problem I was experiencing that I could adequately describe to the list was internally to my exchange servers. It was 100% repeatable. My theory was that if I resolved the internal problem any other similar related problems would be fixed as well.

              Thank you again to everyone who helped me resolve my issue. Everything seems fine today.

              -Tony

              On Dec 13, 2012, at 1:27 AM, "Stan Hoeppner" <stan@...> wrote:

              > On 12/12/2012 6:05 PM, Tony Nelson wrote:
              >
              >> I think it's in my best interest to get TLS operational again.
              >
              > So, you encrypt the transmission from the internal corporate groupware
              > server to the gateway server via a private network that you completely
              > control. But then you relay the same message over the public internet
              > in plain text.
              >
              > There seems to be a flaw in your logic, in your threat assessment. Your
              > stated posture makes it seem you are more worried about malicious packet
              > sniffing inside your perimeter than outside.
              >
              > --
              > Stan
              >

              Since 1982, Starpoint Solutions has been a trusted source of human capital and solutions. We are committed to our clients, employees, environment, community and social concerns. We foster an inclusive culture based on trust, respect, honesty and solid performance. Learn more about Starpoint and our social responsibility at http://www.starpoint.com/social_responsibility

              This email message from Starpoint Solutions LLC is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message. Opinions, conclusions and other information in this message that do not relate to the official business of Starpoint Solutions shall be understood as neither given nor endorsed by it.
            • Scott Kitterman
              ... Thanks for spread FUD about other FOSS projects. If the OP had left his system in the default configuration and installed all available updates, the
              Message 6 of 16 , Dec 13, 2012
              • 0 Attachment
                On Thursday, December 13, 2012 03:05:12 PM Benny Pedersen wrote:
                > Tony Nelson skrev den 13-12-2012 02:04:
                > > It appears that my upgrade didn't go so well. After running apt-get
                > > update/upgrade I ended up upgrading some 250+ packages, including
                > > Postfix. I now have 2.9.3-2~12.04.4 as you suggested and TLS has
                > > started working again.
                >
                > thanks for using opensource that are precompiled :=)
                >
                > with freebsd/gentoo this problem would not exists

                Thanks for spread FUD about other FOSS projects. If the OP had left his
                system in the default configuration and installed all available updates, the
                problem would not have existed.

                Being on FreeBSD or Gentoo wouldn't help if the system isn't kept up to date.

                Scott K
              • Jerry
                On Thu, 13 Dec 2012 09:40:50 -0500 ... +1 -- Jerry ✌ postfix-user@seibercom.net _____________________________________________________________________ TO
                Message 7 of 16 , Dec 13, 2012
                • 0 Attachment
                  On Thu, 13 Dec 2012 09:40:50 -0500
                  Scott Kitterman articulated:

                  > Being on FreeBSD or Gentoo wouldn't help if the system isn't kept up
                  > to date.

                  +1

                  --
                  Jerry ✌
                  postfix-user@...
                  _____________________________________________________________________
                  TO REPORT A PROBLEM see http://www.postfix.org/DEBUG_README.html#mail
                  TO (UN)SUBSCRIBE see http://www.postfix.org/lists.html
                • Benny Pedersen
                  ... same problem goes with windows :) i miss DS in junc.org thanks to org tld i can not secure dkim :(
                  Message 8 of 16 , Dec 13, 2012
                  • 0 Attachment
                    Scott Kitterman skrev den 13-12-2012 15:40:

                    > Being on FreeBSD or Gentoo wouldn't help if the system isn't kept up
                    > to date.

                    same problem goes with windows :)

                    i miss DS in junc.org thanks to org tld i can not secure dkim :(
                  • Benny Pedersen
                    ... +2, point is the problem is less on the above 2
                    Message 9 of 16 , Dec 13, 2012
                    • 0 Attachment
                      Jerry skrev den 13-12-2012 17:24:

                      >> Being on FreeBSD or Gentoo wouldn't help if the system isn't kept up
                      >> to date.
                      > +1

                      +2, point is the problem is less on the above 2
                    Your message has been successfully submitted and would be delivered to recipients shortly.