Blog

« Blog overview

Google is talking IPv6 to me.

February 13, 2014 - 3:38 am

We’re getting there!
It has been a while since I started digging into IPv6. My home network is running on IPv6 for a while, but now I’m confident enough to implement it in my productive setup.

My mailserver has now been fully migrated to IPv6 and while doing this I properly implemented TLS (with a CACert signed certificate) including perfect forward secrecy (PFS) and so on.

Here is how servers of major freemail providers are reacting to my new setup.

Provider sending to… receiving from…
IPv6 TLS IPv6 TLS
GMail yes yes yes yes
GMX no yes no yes
web.de no yes no yes
T-Online no yes (no PFS) no yes
Yahoo no broken* (untested) (untested)
live.com/hotmail no no no no
Apple me.com/mac.com no no no no

* Certificate does not match hostname. They are trying to use a wildcard certificate across two levels of subdomains which is forbidden for HTTPS and not explicitely allowed for SMTP.

Some Comments:
Seems that I’m an early adaptor in terms of IPv6. And still not all of the major providers do TLS (properly). But hey, they don’t have a reason to encrypting SMTP. The NSA gets an unencrypted copy anyway…
Microsoft seems to put more emphasis on spam protection than on security.
I can’t get mails from my server through to my hotmail inbox since they only trust the big ones which have a good reputation. Or maybe if I sign up for partnership with them? Anyway, I still receive enough real spam to my hotmail account inbox…

If you want to avoid Google it seems that the recommendation is GMX or web.de (when it comes to security).
They also force encryption for HTTPS, POP3/IMAP and Submission as far as I know.
Their snake oil campagne “E-Mail made in Germany” has obviously had the positive side effect that they did some things properly.

Enforcing verified encryption
I’ve forced my e-mail server to always encrypt and verify SMTP connections to the providers listed above that support TLS.
But this is obviously a one-way, because none of them will enforce verified encryption to me. And since my provider does not give me DNSSEC support (afaik) I can’t use DANE either.

So feel free to enforce verified encryption to my domain! (make sure you installed the CACert root certificate)

Even though TLS with PFS and two trustworthy E-Mail providers (which obviously is none is listed) is a good start you should still aim for end-to-end encryption.
…..

So that was step no 1.
I’m carrying on with the migration of my webserver.

Tags: , , , , ,

Add a Comment