Tuesday, October 18, 2011

More STARTTLS support!


RFC 3207:
SMTP Service Extension for
Secure SMTP over Transport Layer Security

In a previous blog post entitled "STARTTLS support in Hotmail/Gmail", I requested these services to implement support for RFC 3207, in order to use automatic and transparent security at the "back side" of their services, when available. I doubt I'm the reason here, but Google now has support in place! (Hooray!)
The blog post referred to here also has a link to the survey conducted by my friend and colleague Jan Fredrik Leversund (@KluZz) and myself, regarding the use of STARTTLS across mailservers on the Internet. You can still find it here, although still only in Norwegian...

Proof #1: sending an e-mail from my work account to my Gmail account, then looking at the e-mail header of the mail received at Gmail:
Received: from Mail17.edb.com (mail17.edb.com. [212.18.128.233])
        by mx.google.com with ESMTPS id r11si2077637bkd.114.2011.10.18.12.26.22
        (version=TLSv1/SSLv3 cipher=OTHER);
        Tue, 18 Oct 2011 12:26:22 -0700 (PDT)

Proof #2: Replying from Gmail back to my work account:
Received: from mail-ww0-f44.google.com ([74.125.82.44])  by Mail34.edb.com
 with ESMTP/TLS/RC4-SHA; 18 Oct 2011 21:29:53 +0200

*NICE*. Thanks Google!
-------------------

Going further back in time, I've also pointed a finger at ISACA and Lyris Inc, recommending them to improve their security. I am now happy to see that ISACA and Lyris now supports the STARTTLS command through SMTP connections, which is proof of RFC 3207 support. While I was at it, I checked (ISC)2 and ASIS as well.Yup, they've got STARTTLS available as well. As a member of ISACA, (ISC2)2 and ASIS, this makes me a little bit happier. Do as you preach.

Oh... and Microsoft, with their Hotmail service? Still no support for RFC 3207. Come on guys!
-------------------

And now for Ivan Ristic at Qualys (SSLlabs); I've e-mailed you, look forward to any positive news you might have! :-)