Tuesday, October 18, 2011

More STARTTLS support!

RFC 3207:
SMTP Service Extension for
Secure SMTP over Transport Layer Security

In a previous blog post entitled "STARTTLS support in Hotmail/Gmail", I requested these services to implement support for RFC 3207, in order to use automatic and transparent security at the "back side" of their services, when available. I doubt I'm the reason here, but Google now has support in place! (Hooray!)
The blog post referred to here also has a link to the survey conducted by my friend and colleague Jan Fredrik Leversund (@KluZz) and myself, regarding the use of STARTTLS across mailservers on the Internet. You can still find it here, although still only in Norwegian...

Proof #1: sending an e-mail from my work account to my Gmail account, then looking at the e-mail header of the mail received at Gmail:
Received: from Mail17.edb.com (mail17.edb.com. [])
        by mx.google.com with ESMTPS id r11si2077637bkd.114.2011.
        (version=TLSv1/SSLv3 cipher=OTHER);
        Tue, 18 Oct 2011 12:26:22 -0700 (PDT)

Proof #2: Replying from Gmail back to my work account:
Received: from mail-ww0-f44.google.com ([])  by Mail34.edb.com
 with ESMTP/TLS/RC4-SHA; 18 Oct 2011 21:29:53 +0200

*NICE*. Thanks Google!

Going further back in time, I've also pointed a finger at ISACA and Lyris Inc, recommending them to improve their security. I am now happy to see that ISACA and Lyris now supports the STARTTLS command through SMTP connections, which is proof of RFC 3207 support. While I was at it, I checked (ISC)2 and ASIS as well.Yup, they've got STARTTLS available as well. As a member of ISACA, (ISC2)2 and ASIS, this makes me a little bit happier. Do as you preach.

Oh... and Microsoft, with their Hotmail service? Still no support for RFC 3207. Come on guys!

And now for Ivan Ristic at Qualys (SSLlabs); I've e-mailed you, look forward to any positive news you might have! :-)


  1. Last week I found that our phone system when sending emails of voicemail if it tries to STARTTLS to a server supporting something stronger than RC4 that it crashes the entire phone system.

    So my mail servers support DHE-RSA-AES256-SHA and after the phone system does its TLS Hello with what it supports only a few micro seconds after the mail server sends back the next packet *BOOM*.

    Testing using gmail (dig MX gmail.com) and then:
    openssl s_client -starttls smtp -connect gmail-smtp-in.l.google.com:25 we get: RC4-SHA. This doesn't crash the phone system but it does cause it to fail to send a message.

    Then, I went to look for other STARTTLS supporting mail services I found no support in:
    sbcglobal.net (residential ISP)
    verizon.net (residential ISP)

    Oh hushmail.com got it right: DHE-RSA-AES256-SHA

  2. Heh. Sounds like you have yourself a bug that should be reported to the vendor.
    (Lets hope it cannot be remotely exploited in any way....)

    Anyway, we are considering to do our little survey once again, to see if the overall situation has changed. If there are any coders with spare time available, please contact me. :-)

    I am also very proud to say that this article is being referenced on Wikipedia in 2 articles; namely STARTTLS and e-mail privacy. (last seen on Dec 10, 2011)

  3. http://stackoverflow.com/questions/11175367/which-email-service-provider-has-tls-encryption-for-outgoing-email


All comments will be moderated, primarily for spam. You are welcome to disagree with my posts of course.