[dramaticus3]

Email, still not dead.

My work has gradually moved from Web -> Email. I learned about email while working as a sys admin for a website sending 100k mailouts and now I've become a bit of a specialist writing email apps. Postfix is my weapon of choice, you can extend it externally via its unix pipe & socket routing.

Currently I'm building an outgoing SMTP service for people network hopping - Wifi, 3g etc.

It has been interesting to see the rise in inter-SMTP server communications going SSL. Google & Hotmail, for instance, both use TLS to send their email, even when there's no requirement to do so, TLS is chosen first.

So people often trumptet BBM as end-to-end secure but if you use Google Mail with your mobile email and set it to TLS only and only send to other Google & Hotmail users then the same is true.

I've also had a report of a German ISP that deep packets SMTP traffic and changes STARTTLS to XXX "for security reasons". I suspect that they have a tap in front of their closed source MTA to log the traffic to satisfy the European Data Retention Directive.

[icebraining]

>So people often trumptet BBM as end-to-end secure but if you use Google Mail with your mobile email and set it to TLS only and only send to other Google & Hotmail users then the same is true.

I actually thought they had end-to-end encryption with different keys for every device (PGP-like). That would make them much more secure than that, since the servers wouldn't be able to access the contents.

But I've been reading about it before replying and apparently they use a single key per server, not to mention that if you're not on a private BES, you're using a global key (they call it 'scrambled', not encrypted). What a joke.

[DougRathbone]

interesting you've found that about BES - link?

[icebraining]

EDIT: It's mostly about BIS; BES servers can actually implement end-to-end, if they're IT department enables the S/MIME module and create, distribute and teach users how to use PKI certificates. But if you're not doing that, you're not really protected.

This[1] document from the Communications Security Establishment of Canada explains it well. Citing:

    PIN-to-PIN transmission security: PIN-to-PIN is not suitable for exchanging 
    sensitive messages. Although PIN-to-PIN messages are encrypted using 
    Triple-DES, the key used is a global cryptographic “key” that is common to 
    every BlackBerry device all over the world. This means any BlackBerry device 
    can potentially decrypt all PIN-to-PIN messages sent by any other BlackBerry 
    device, if the messages can be intercepted and the destination PIN spoofed. 
    Further, unfriendly third parties who know the key could potentially use it to 
    decrypt messages captured over the air. Note that the “BlackBerry Solution 
    Security Technical Overview” document published by RIM specifically 
    advises users to “consider PIN messages as scrambled, not encrypted”. 

[1]: http://www.cse-cst.gc.ca/its-sti/publications/itsb-bsti/itsb...

[JonLim]

I'd love to hear more about the outgoing SMTP service for people network hopping - I'm not sure I completely understand it and my curiosity is just getting the best of me. :)

Tell us more!

[dramaticus3]

Buy a Data sim, what to do as outgoing SMTP ?

Vodafone for instance : http://www.google.co.uk/search?q=vodafone+smtp

Our service, one of a few, offers SMTP Auth'd or just relying on MAIL FROM: envelope header for outgoing email, utilising TLS, especially useful when on free-wifi.

Set your SPF settings to allow our sending IP in order to improve one's SPAM score.

The TLS route means that if one is sending to a GMAIL account then it is the recipient who can break the chain of trust.

If you have an SMTP receiver you can send from an open wi-fi access point in Karachi and know that only in server was the plain text processed. I guess that's not saying much but you can easily set it up for yourself.

[JonLim]

Hopefully I'm understanding this correctly: you're creating a service that lets you send emails securely using your hosted SMTP, from anywhere in the world?

Useful for traveling on business, I would assume!

[dramaticus3]

Yes, that's the one. There are more than one available. I'm not going to spam the name of mine. It's a service I wanted myself as an early adopter of handheld computers, outgoing SMTP is one of those things where the ISP does everything it can to make you use user@mobileisp.com and even when it is plain, remembering the settings if your phone gets wiped, is it mail.example.isp.com or smtp.example.isp.com. Hopefully it is a bit easier to remember the smtp service one uses.

[dramaticus3]

What am I saying: end to end encryption isn't there, just in-flight encryption. Encrypting the payload before it leaves your network is the only way to do that, not relying on intermediaries.

It's a shame we can't sign it for you as it leaves our network, but that would defeat the point.