Die kürzlich veröffentlichte Cyber-Sicherheitsempfehlung "Upgrade für die E-Mail-Sicherheit" ist ein Paradebeispiel für die lösungsorientierte Zusammenarbeit zwischen verschiedenen Abteilungen im BSI. Nur so konnten wir praxisnahe Empfehlungen aussprechen, die auf Beobachtungen der echten Welt da draußen beruhen. Oft können Unternehmen, die E-Mails über eine eigene Domain senden und empfangen, nämlich schon mit überschaubaren Aufwand ihre Sicherheit deutlich verbessern.

https://www.bsi.bund.de/DE/Service-Navi/Presse/Alle-Meldungen-News/Meldungen/Upgrade-E-Mail-Sicherheit_250526.html

#MailSecurity #TeamBSI #SPF #DKIM #DMARC #STARTTLS #DNSSEC #DANE #MTASTS #TLSRPT

now also available in English:
Four modern mail systems for self-hosting -- Universal support for mail security standards
https://www.sidn.nl/en/news-and-blogs/four-modern-mail-systems-for-self-hosting

An increasing number of mail software packages are now available that offer out-of-box support for all security standards, and are easy to set up as well. In this article, we consider four modern open-source packages for self-hosting: #Mox, #Chasquid, #Stalwart and #Maddy.

#SPF #DKIM #DMARC #DANE #STARTTLS #MTA-STS #InternetSecurity

@stalwartlabs

op SIDN.nl:
Vier moderne mail-systemen voor self-hosting -- Beveiligingsstandaarden voor mail universeel ondersteund
https://www.sidn.nl/nieuws-en-blogs/vier-moderne-mailsystemen-voor-self-hosting

Inmiddels zijn er meerdere software-pakketten beschikbaar die én alle beveiligingsstandaarden out-of-the-box ondersteunen én makkelijk op te zetten zijn. In dit artikel bespreken we vier moderne open-source mail-pakketten voor self-hosting: #Mox, #Chasquid, #Stalwart en #Maddy.

#SPF #DKIM #DMARC #DANE #STARTTLS #MTA-STS #InternetSecurity

@stalwartlabs

Letzte Woche fand das erste Treffen mit Mail-Providern zum E-Mail-Sicherheits-Jahr 2025 statt. Mit dabei war auch die Präsidentin des BSI, Claudia Plattner. Ich kann mich den Worten von Fabian Bock nur anschließen und freue mich schon auf die vielen weiteren Treffen und Aktionen, die wir für das Jahr geplant haben :blobcheer:

https://mail.de/de/blog/2025-03-unsere-teilnahme-am-e-mail-sicherheits-jahr-2025

#MailSecurity #TeamBSI #SPF #DKIM #DMARC #STARTTLS #DNSSEC #DANE

testssl.sh now supports the #STARTTLS protocol #sieve

also available in English on SIDN.nl:
Plenty of requirements about using security standards, but no enforcement or sanctions -- New powers for Authority for Digital Infrastructure may bring about change
https://www.sidn.nl/en/news-and-blogs/plenty-of-requirements-about-using-security-standards-but-no-enforcement-or

Many municipal websites don't meet the security standards they're supposed to meet. The problem isn't a lack of regulation, but a lack of compliance and enforcement.

#InternetSecurity #infosec #DNSSEC #DMARC #STARTTLS
@internet_nl

op SIDN.nl:
Een zee aan verplichtstellingen voor beveiligingsstandaarden, maar geen dwang of sancties -- Wellicht dat de Rijksinspectie voor Digitale Infrastructuur deze keer wel een verschil kan maken
https://www.sidn.nl/nieuws-en-blogs/een-zee-aan-verplichtstellingen-voor-beveiligingsstandaarden-maar-geen-dwang-of-sancties

Een groot deel van de gemeentelijke websites voldoet niet aan de verplichte beveiligingsstandaarden. Probleem is niet een gebrek aan regelgeving, maar de naleving en handhaving daarvan.

#InternetSecurity #infosec #DNSSEC #DMARC #STARTTLS
@internet_nl

Aktuell auf der #SLAC2024: "Sicherheit von STARTTLS in E-Mail-Clients." mit Fabian Ising vom Fraunhofer Institute for Secure Information Technology SIT. Fabian stellt eine wissenschaftlichen Studie und strukturierte Sicherheitsanalyse von #STARTTLS in IMAP, SMTP und POP3 vor. Die Ergebnisse zeigen, dass Angriffe gegen STARTTLS noch immer aktuell und kritisch sind. Er erklärt die Mechanismen dahinter und zeigt konkrete Angriffe. Spannend!

#IMAP #SMTP #POP3 #Administration #Cybersicherheit

Wie sicher ist STARTTLS in IMAP, SMTP und POP3? Dr. Fabian Ising hat in einer Studie die erste strukturierte #Sicherheitsanalyse von STARTTLS in E-Mail-Clients mit durchgeführt.

Das Ergebnis: Angriffe gegen #STARTTLS sind aktuell & kritisch.

Im #SLAC-Vortrag zeigt er:

👉 den Mechanismen hinter der E-Mail-Client zu E-Mail-Server-Kommunikation
👉 dem STARTTLS-Mechanismus 👉 konkrete Angriffe aus der Praxis

🎟️ Tickets:
https://www.slac-2024.de

#IMAP #SMTP #POP3 #Administration #Cybersecurity

There's no shortage of #cybersecurity talent in the industry. However, like any domain where people over-specialize because of market conditions, you end up with questions like this one where people don't understand how application or session layer protocols actually work, and how a "security protocol" actually works.

Email is an outdated messaging protocol, but the transport layer is just as secure as #HTTPS when using #TLS. Most modern MTAs default to using #SMTP over TLS, or use opportunistic encryption with #STARTTLS. Both the client and server are usually configured to drop insecure connections before user authentication happens.

The only correct answer here is #SSL, which was deprecated more than nine years ago due to limitations and vulnerabilities in its supported ciphers. SMTP is not a security protocol, yet 68% of respondents apparently think it is. That's a problem.

No one should be expected to know everything, and not all security people focus on networking, encryption, or handshake protocols. However, if you don't want to be the next breach-in-the-news, please ensure your staff at least understands the basic controls used or needed for the systems you've hired them to protect!

https://www.linkedin.com/posts/the-cyber-security-hub_activity-7132819961705566209-UNFm

"🚨 *Major lawful Interception *: Russian XMPP (Jabber) Service Under Attack! 🚨"

The largest Russian XMPP (Jabber) messaging service, jabber.ru (also known as xmpp.ru), has been targeted in a sophisticated Man-in-the-Middle (MiTM) attack. The attackers intercepted encrypted TLS connections on Hetzner and Linode hosting providers in Germany. 🇩🇪🔓

Several rogue TLS certificates were issued using the Let’s Encrypt service to hijack encrypted STARTTLS connections on port 5222. The attack was unveiled due to an expired MiTM certificate. The interception might have been ongoing for up to 6 months, with 90 days confirmed.

The attack seems to be a lawful interception that Hetzner and Linode might have been compelled to set up. The implications are severe: all communications between the affected dates could be compromised. Users are urged to check their accounts for unauthorized #OMEMO and #PGP keys and to change passwords. 🔑🚫

Author: ValdikSS, 21st October 2023
Source: ValdikSS's Notes

Tags: #XMPP #Jabber #MiTM #Cybersecurity #Hetzner #Linode #EncryptionBreach #TLS #STARTTLS #LetsEncrypt 🌐🔐🚫

@brokenix Heads-up to all: The IETF has proposed implicit TLS (Port 465) as preferred over STARTTLS solutions. The previous confusion around Port 465 was cleared.

https://www.rfc-editor.org/rfc/rfc8314.html#section-3.3

Wherever possible I use Port 465 over 587. Only one mail server I use doesn't offer implicit TLS, I have to contact them soon 😀

#smtp #tls #starttls

Oh man. #Grandstream, Access Point. You can configure to send alerts to a #mail recipient. Nice.

Except, whoever idiot implemented it, has been a *bit* to eager on "Lets force this secure".
The mail relay you want to use MUST support #STARTTLS. It MUST support #login with user/pass. You MAY skip validating the certificate.

NO way to tell it "Nope, mailrelay is local, it really does not need any login and no, it DOES NOT support tls". Just no way.

Useless.

It took me far too long to get #Postfix to validate #DANE records. Why? My cloud provider's DNS server doesn't support #DNSSEC. It's 2023, come on! Hopefully using an external DNS server won't spike my bandwidth too much. #email #selfhosted #starttls

I need a dummy #RubyLang #IMAP server that can support #STARTTLS but otherwise treats most commands as no-ops. I couldn't find anything well-maintained via GitHub or Ruby Toolbox other than the gem from Ruby's #stdlib at:

https://ruby-doc.org/3.2.2/gems/net-imap/Net/IMAP.html

Rather than gutting Net::IMAP, is there already a gem out there that can be used to support fetch-before-send clients like Apple's Mail that won't send email before completing POP3 or IMAP4 authentication?

One of my #GitLab instances was no longer able to send e-mails. (It tried to send almost empty e-mails, but its smarthost discarded those.)

It was the one that used #nullmailer as its #MTA. GitLab recommends either #Sendmail or #Postfix as an MTA. Switching to Postfix solved this issue for me.

Making sure that Postfix uses the #StartTLS capability of its smarthost took longer than expected.

It's also rather annoying that on Debian systems, postfix by default accepts connections from anywhere on the Internet even though I asked debconf to set up a “satellite system”.

When using Nullmailer, I just had to put the line “smtp.domain.tld smtp --port=25 --starttls” in /etc/nullmailer/remotes.

For Postfix, I need this:
inet_interfaces = loopback-only
smtp_tls_security_level = encrypt

Your mileage may vary.

Ich wüsste ja schon zu gerne, wieso mein #Postfix seit heute morgen auf einmal > 5 Sekunden braucht um einen #TLS-Handshake zu machen, sowohl auf 465 als auch bei #STARTTLS. 🤔

Geändert habe ich (bewusst) nichts, und die Nameserver hab ich schon getestet, die scheinen schnell zu sein.

#Verschlüsselung
Sicherheitsrisiko #STARTTLS
von Hanno Böck

https://www.golem.de/news/verschluesselung-sicherheitsrisiko-starttls-2108-158714.html

Critical bug in Thunderbird.

CVE-2020-12398: Security downgrade with IMAP STARTTLS leads to information leakage

https://www.mozilla.org/en-US/security/advisories/mfsa2020-22/#CVE-2020-12398

#mozilla #thunderbird #STARTTLS #security