Is MiaB supporting/using starttls everywhere?


#1

Hi, just saw this yesterday and wondered whether MiaB made made some of the implmentations of not.


#2

SMTP is the only protocol here that does STARTTLS (Port 587). IMAP also uses SSL on 993.


#3

I think you missed what was meant here. This is about the STARTTLS Everywhere initiative. It’s like HSTS for SMTP, with a preload list of domains so you don’t have to rely on TOFU and can resist potential downgrade attacks.


#4

I guess what I would like to know is as someone running MiaB who cares about encryption, is there anything I need to do to make my service better?


#5

If you have followed the MIAB guides and implemented the recommendations correctly you will have secure email service, that correctly implements every protocol it supports. This is another defence in depth and one I am willing to consider but I will need to study it carefully before I register my own mail servers.


#6

STARTTLS Everywhere consists of 2 parts registering your domain with their list, so other servers can be notified that you use STARTTLS and applying their Policy List to your mail server. If you want to set it up follow the steps here https://www.starttls-everywhere.org/policy-list/, MIAB uses Postfix so you maybe able to use their Python package.

I would look at their github, https://github.com/EFForg/starttls-everywhere, it doesn’t sound ready for production use if you care about that.


closed #7

This topic was automatically closed after 61 days. New replies are no longer allowed.