Tuesday, October 18, 2011

More STARTTLS support!

RFC 3207:
SMTP Service Extension for
Secure SMTP over Transport Layer Security

In a previous blog post entitled "STARTTLS support in Hotmail/Gmail", I requested these services to implement support for RFC 3207, in order to use automatic and transparent security at the "back side" of their services, when available. I doubt I'm the reason here, but Google now has support in place! (Hooray!)
The blog post referred to here also has a link to the survey conducted by my friend and colleague Jan Fredrik Leversund (@KluZz) and myself, regarding the use of STARTTLS across mailservers on the Internet. You can still find it here, although still only in Norwegian...

Proof #1: sending an e-mail from my work account to my Gmail account, then looking at the e-mail header of the mail received at Gmail:
Received: from Mail17.edb.com (mail17.edb.com. [])
        by mx.google.com with ESMTPS id r11si2077637bkd.114.2011.
        (version=TLSv1/SSLv3 cipher=OTHER);
        Tue, 18 Oct 2011 12:26:22 -0700 (PDT)

Proof #2: Replying from Gmail back to my work account:
Received: from mail-ww0-f44.google.com ([])  by Mail34.edb.com
 with ESMTP/TLS/RC4-SHA; 18 Oct 2011 21:29:53 +0200

*NICE*. Thanks Google!

Going further back in time, I've also pointed a finger at ISACA and Lyris Inc, recommending them to improve their security. I am now happy to see that ISACA and Lyris now supports the STARTTLS command through SMTP connections, which is proof of RFC 3207 support. While I was at it, I checked (ISC)2 and ASIS as well.Yup, they've got STARTTLS available as well. As a member of ISACA, (ISC2)2 and ASIS, this makes me a little bit happier. Do as you preach.

Oh... and Microsoft, with their Hotmail service? Still no support for RFC 3207. Come on guys!

And now for Ivan Ristic at Qualys (SSLlabs); I've e-mailed you, look forward to any positive news you might have! :-)