smtp

TLS scan for SMTP servers

While I already linked to the Qualys scanner of SSL servers, it actually is limited to HTTPS servers only.

Turns out there is another one called starttls.info that will scan SMTP servers. It was also used for scanning STARTTLS support in Norway.

Opportunistic encryption in SMTP is here (mostly)

Facebook published their outgoing SMTP stats on 13th of May. The situation is much better than what we previously thought.

Few high points:

  • 76% of hosts that Facebook contacted to send email support STARTTLS and correctly negotiated secure connection
  • 56% of outgoing email gets encrypted using TLS
  • out of encrypted email, over 98% used Perfect Forward Secrecy

The bad:

  • only 25% of domains have matching, trusted and still valid certificates
  • this falls down to 6.6% for unique MX hosts
  • and includes 59.6% of all mail
  • nearly 50% of email was transferred using the possibly passively-crackable RC4 cipher
  • the same issue affects close to 20% of domains

In summary, it looks like we are on very good road for strict certificate checking using DANE in SMTP.