Conversation

Notices

1. Embed this notice
   Michael Lucas :flan_set_fire: (mwl@io.mwl.io)'s status on Wednesday, 22-Jan-2025 19:09:46 JST Michael Lucas :flan_set_fire:

   I didn't plan on this, but it turns out that releasing my new book on running your own email server was SUPER TIMELY. #sysadmin

   https://mwl.io/nonfiction/tools#ryoms

   • Embed this notice
     Ryan Castellucci :nonbinary_flag: (ryanc@infosec.exchange)'s status on Wednesday, 22-Jan-2025 19:19:08 JST Ryan Castellucci :nonbinary_flag:

     in reply to

     • Colin Cogle :verified:
     • A

     @colin @a @mwl My experience using RBLs was that I needed to run DNS lookups on the same IP as the mail server which is annoying with socks.

     If you have IPv6 at home, you can get a dual stack VPS and use proxy arp to relocate its ipv4 address to the other end of a SIT tunnel (ipv4 over ipv6) terminating on your actual server.

     I used to have a web server set up this way.

   • Embed this notice
     Colin Cogle :verified: (colin@mastodon.colincogle.name)'s status on Wednesday, 22-Jan-2025 19:19:11 JST Colin Cogle :verified:

     in reply to

     • A

     @a @mwl I was thinking the same thing, via Wireguard or whatever, but your idea might be better.

   • Embed this notice
     A (a@91268476.xyz)'s status on Wednesday, 22-Jan-2025 19:19:13 JST A

     in reply to

     • Colin Cogle :verified:

     @colin@mastodon.colincogle.name @mwl@io.mwl.io I run my own on a vps but I wonder if it would be too shitty to run it at home and keep the VPs as a proxy with socat services?

   • Embed this notice
     Colin Cogle :verified: (colin@mastodon.colincogle.name)'s status on Wednesday, 22-Jan-2025 19:19:14 JST Colin Cogle :verified:

     in reply to

     @mwl Running port 25 behind a residential IP is an instant block. I have everything running like clockwork behind a mid-sized hosting provider, but I'm always looking to improve things.

   • Embed this notice
     Rich Felker (dalias@hachyderm.io)'s status on Wednesday, 22-Jan-2025 23:08:42 JST Rich Felker

     in reply to

     • Colin Cogle :verified:

     @colin @mwl I'm not sure what you mean by instant block, but you can proxy port 25 thru a $3 VPS if needed, and not even lose any cryptographic integrity as long as you're using DANE.

   • Embed this notice
     Rich Felker (dalias@hachyderm.io)'s status on Wednesday, 22-Jan-2025 23:09:53 JST Rich Felker

     in reply to

     • Colin Cogle :verified:
     • A

     @a @mwl @colin This is exactly what you want to do. And setup DANE for your domain, and outgoing DANE enforcement, so malicious party on the VPS side can't MITM you.

   • Embed this notice
     A (a@91268476.xyz)'s status on Wednesday, 22-Jan-2025 23:19:39 JST A

     in reply to

     @dalias@hachyderm.io @mwl@io.mwl.io @colin@mastodon.colincogle.name I assume you have full control of the VPS . At least I di

   • Embed this notice
     Rich Felker (dalias@hachyderm.io)'s status on Wednesday, 22-Jan-2025 23:20:03 JST Rich Felker

     in reply to

     • Colin Cogle :verified:
     • A

     @a @mwl @colin If the VPS isn't on your premises or locked in fail-closed tamper resistant enclosure at your colo, you don't have full control over it. Law enforcement can mandate hosting provider backdoor it, and there are plenty of cross-guest attacks in virtual hosting environments.

   • Embed this notice
     Rich Felker (dalias@hachyderm.io)'s status on Wednesday, 22-Jan-2025 23:24:49 JST Rich Felker

     in reply to

     • Colin Cogle :verified:
     • A

     @a @mwl @colin You don't run the mail server on the VPS, just proxy thru its IP. The TLS is terminated on your premises, so as always, if certificate is validated correctly (this is what you need DANE for; otherwise TLS on mail is opportunistic), MITM is impossible even if the attacker fully controls the VPS.

   • Embed this notice
     A (a@91268476.xyz)'s status on Wednesday, 22-Jan-2025 23:24:50 JST A

     in reply to

     • Rich Felker
     • Colin Cogle :verified:

     @dalias@hachyderm.io @mwl@io.mwl.io @colin@mastodon.colincogle.name true, but idk how DANE could alleviate those problems either.

   • Embed this notice
     🍻 alfajet 🇫🇷 🇬🇧 (alfajet@alfajet.masto.host)'s status on Wednesday, 22-Jan-2025 23:38:19 JST 🍻 alfajet 🇫🇷 🇬🇧

     in reply to

     @mwl
     If you planned all these events to promote your book, you went a bit too far imo.

     valhalla likes this.
   • Embed this notice
     Rich Felker (dalias@hachyderm.io)'s status on Wednesday, 22-Jan-2025 23:42:04 JST Rich Felker

     in reply to

     • Colin Cogle :verified:
     • A

     @a @mwl @colin That's exactly what I'm talking about. And with webpki, controlling the public IP lets you get forged certs unless you're using DNSSEC and CAA to forbid all but specific authorized cert issuance. But with DANE, control of the IP gets you nothing because the key is pinned.

   • Embed this notice
     A (a@91268476.xyz)'s status on Wednesday, 22-Jan-2025 23:42:06 JST A

     in reply to

     • Rich Felker
     • Colin Cogle :verified:

     @dalias@hachyderm.io @mwl@io.mwl.io @colin@mastodon.colincogle.name I doubt the impossible words can be used here. I guess people with more evil imagination than me can think of ways to do so. Just a data point https://notes.valdikss.org.ru/jabber.ru-mitm/

   • Embed this notice
     Rich Felker (dalias@hachyderm.io)'s status on Wednesday, 22-Jan-2025 23:50:03 JST Rich Felker

     in reply to

     • Colin Cogle :verified:
     • A

     @a @mwl @colin The DNS server doesn't have to be trusted either. Just the DS delegation records from the parent zone. If they're tampered with, that provides a paper trail of wrongdoing (compromised registrar).

   • Embed this notice
     A (a@91268476.xyz)'s status on Wednesday, 22-Jan-2025 23:50:05 JST A

     in reply to

     • Rich Felker
     • Colin Cogle :verified:

     @dalias@hachyderm.io @mwl@io.mwl.io @colin@mastodon.colincogle.name ...assuming you have full control of the DNS server I guess

   • Embed this notice
     Rich Felker (dalias@hachyderm.io)'s status on Wednesday, 22-Jan-2025 23:52:48 JST Rich Felker

     in reply to

     • Colin Cogle :verified:
     • A

     @a @mwl @colin That's one of the awesome things about DNSSEC: it lets you host your authoritative DNS on cheap low trust infrastructure, only caring about availability not integrity.

   • Embed this notice
     Rich Felker (dalias@hachyderm.io)'s status on Wednesday, 22-Jan-2025 23:57:00 JST Rich Felker

     in reply to

     • Colin Cogle :verified:
     • A

     @a @mwl @colin Cryptographically impossible (assuming the cipher isn't broken which isn't a realistic threat).

     Where compromises like the one you cited happen are by compromising one party in the cryptographic chain, not by breaking the crypto. With DANE the only parties who can potentially be compromised are your registrar, the TLD authority, and the DNS root.

   • Embed this notice
     A (a@91268476.xyz)'s status on Wednesday, 22-Jan-2025 23:57:02 JST A

     in reply to

     • Rich Felker
     • Colin Cogle :verified:

     @dalias@hachyderm.io @mwl@io.mwl.io @colin@mastodon.colincogle.name I guess I'll have to trust you on this one :-P I'm not an expert on security, but uttering words like "impossible" sound like a red flag to me. "Very hard"? sure though.

   • Embed this notice
     Rich Felker (dalias@hachyderm.io)'s status on Wednesday, 22-Jan-2025 23:59:21 JST Rich Felker

     in reply to

     • Colin Cogle :verified:
     • A

     @colin @a @mwl Yep, it's much stronger matching your specific key. As well as resistant to downtime from intermediate cert switchover shenanigans.

   • Embed this notice
     Colin Cogle :verified: (colin@mastodon.colincogle.name)'s status on Wednesday, 22-Jan-2025 23:59:22 JST Colin Cogle :verified:

     in reply to

     • Rich Felker
     • A

     @dalias @a @mwl I’m also “cheating” and using DANE to match the intermediate CA’s, not the public key of my cert. I should really fix that.

   • Embed this notice
     Rich Felker (dalias@hachyderm.io)'s status on Thursday, 23-Jan-2025 00:02:09 JST Rich Felker

     in reply to

     • Colin Cogle :verified:
     • A

     @a @mwl @colin I'm most concerned about email interception as a vector for account compromise through credential reset workflows. Otherwise indeed the value to attacker/risk to user is usually fairly low.

   • Embed this notice
     A (a@91268476.xyz)'s status on Thursday, 23-Jan-2025 00:02:11 JST A

     in reply to

     • Rich Felker
     • Colin Cogle :verified:

     @colin@mastodon.colincogle.name @mwl@io.mwl.io @dalias@hachyderm.io I'm personally not super concerned about all that because: (a) sending emails means that someone will received and you still need to rely on their infra not to be breached (good luck with that) and (b) I use email mostly to receive messages and as an ID for a bunch of accounts mostly. If I want to share something more personal I would use other mechanism

   • Embed this notice
     Colin Cogle :verified: (colin@mastodon.colincogle.name)'s status on Thursday, 23-Jan-2025 00:02:12 JST Colin Cogle :verified:

     in reply to

     • Rich Felker
     • A

     @a @mwl @dalias Dang, I do use Linode.

     On the bright side, yes, I have a Let’s Encrypt CA and DNSSEC/DANE, MTA-STS, CAA, and all the acronyms. I also edited the Postfix config files to require TLS for outbound connections to some servers that I know will never not support it, like Google, Microsoft, and a few others.

   • Embed this notice
     Rich Felker (dalias@hachyderm.io)'s status on Thursday, 23-Jan-2025 00:15:13 JST Rich Felker

     in reply to

     • Colin Cogle :verified:
     • A

     @a @mwl @colin This is a big part of why I made mxclient and hope it (or another implementation of same concept) eventually becomes the standard for credential reset workflows, login via email workflows, etc.

     Haelwenn /элвэн/ :triskell: likes this.