[Cialug] Email host evaluation

Pixie pix at kepibu.org
Fri Jul 1 17:44:02 CDT 2016


On 2016.07.01 17:07, Claus Niesen wrote:
> I'm wondering if Gandi's outbound smtp server being on the CASA CBL,
> CASA CBLESS, CASA CBLPLUS, and SORBS SPAM black lists.  The first few
> are Chinese maintained lists so I doubt they are used by craigslist
> but I guess the last one could.  Tuffmail isn't on any of them.

I wouldn't consider a SORBS listing a dealbreaker.  They also have a
habit of listing Google and other large mail providers.  Which, sure,
some spam gets out of any large outfit, but that's not really helpful.
Their affect will be accordingly reduced for any mail operator that both
uses them and pays attention to their mail stream.


> Security issues like the SSlv2 are slowly corrected but Tuffmail
> seems to be always behind.  Although, because of that they didn't get
> hit with the heartbleed issue. Their current rating is still below
> par: https://www.ssllabs.com/ssltest/analyze.html?d=mail.mxes.net
> 
> Do surface checks like this SSL analyzer really allow to get a good
> picture of an email provider?  What is your thoughts of Tuffmail and
> the way Gandi is handling things?

That doesn't really tell you much.  For one thing, that server appears
to be talking IMAPS over 443 (SSL labs doesn't check anything other than
443).  But mostly, remember: encryption over SMTP is optional and
best-effort.  Mail servers don't, and generally can't, validate
certificates--many SMTP server certs are self-signed, or signed by
organization-internal CAs.  And if a server cannot connect using TLS,
they will by design fall back to plaintext transmission--so refusing to
use a weak cipher would just result in unencrypted transmission, not no
mail.

Now, one would hope the IMAP/POP3 side would be a little better, but
MUAs are pretty universally terrible and don't get nearly as much love
as browsers, so it's not very surprising that they'd need to support
much older and less-secure configurations.  I would hope SSL3 could be
retired by now, but maybe they've still got people using an old version
of Eudora or something.

-- 


More information about the Cialug mailing list