|
The EFF has just posted a shallower than usual deeplink alleging an “email encryption downgrade attack” by ISPs intent on eavesdropping on their customers.
They, along with VPN provider Golden Frog, have additionally complained to the FCC reporting this.
Here, they’ve just noticed something that’s common across several hotel / airport wifi networks—routing outbound port 25 (SMTP) traffic through a spam / malware filtering proxy such as the “inspect” aka “fixup” feature in a Cisco ASA device.
Outbound port 25 blocking is a best practice, which is enforced by several large providers around the world and is recommended, for example by M3AAWG. Port 587, the SMTP submission port, has been recommended for outbound SMTP since it was first defined in 1998, in RFC 2476 (now obsoleted by RFC 6409). An older but still relevant Best Practice document from 2007 is RFC 5068. These RFCs are explicit that port 587 is to be used for mail submission, and that it MUST NOT (capitals as used in the RFCs) be subject to port blocking.
However, airport and hotel wifi networks, and other networks with a large number of transient users, tend to filter outbound port 25 rather than follow the commonly accepted best practices of blocking port 25 outbound traffic, a large part of which is malicious, originating from virus infected hosts on a network. This might be a well intentioned measure (possibly to decrease tech support costs) but it is certainly not a best practice, this is well on the “ignorance” rather than “malice” side when you slice it with Hanlon’s razor.
It is certainly not appropriate to conflate this, as the EFF has done with their FCC filing, with other practices allegedly adopted by ISPs to track their users or slow down sites they see as competitors. And it is certainly not new, in fact it is about a decade old, for the EFF to equate spam filtering of any sort with censorship or worse.
That said, it does appear to be high time to update existing best practices on port 25 management to explicitly recommend that proxy filtering port 25 by turning off TLS to allow content inspection is not a privacy friendly alternative to blocking port 25 outright. That blocking rather than suppressing port 25 will avoid frivolous FCC filings targeting an ISP is perhaps an additional icing on the cake.
Sponsored byCSC
Sponsored byWhoisXML API
Sponsored byVerisign
Sponsored byIPv4.Global
Sponsored byVerisign
Sponsored byRadix
Sponsored byDNIB.com
When I first heard about this subject, I thought filtering was being applied between the MSA and the MX. How would we rate it in that case? Of course, it is not granted that TLS is available at each intermediate hop. It is a best effort attempt. However, the ease with which it is possible to circumvent it brings out a weakness in RFC 6409. What if backbone routers on national borders do the same? Perhaps, standardizing port 465 was not such a bad idea after all. I welcome the EFF complaint, in this respect.
Later on, reading the details, I learned filtering happens between the MUA and the MSA. For it to work, a client must be configured to use TLS only if possible. I don’t think such configurations make sense, and I’d blame them at least as much as the filtering operators. IOW, one good thing of STARTTLS filtering is to educate users to get aware of what they do. For an even better effect, they could swap MAIL and RCPT addresses.