[176538] in North American Network Operators' Group
Re: Transparent hijacking of SMTP submission...
daemon@ATHENA.MIT.EDU (Owen DeLong)
Wed Dec 3 16:05:27 2014
X-Original-To: nanog@nanog.org
From: Owen DeLong <owen@delong.com>
In-Reply-To: <D0A1D521.EC149%jason_livingood@cable.comcast.com>
Date: Wed, 3 Dec 2014 13:00:15 -0800
To: "Livingood, Jason" <Jason_Livingood@cable.comcast.com>
Cc: John Levine <johnl@iecc.com>, "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
> On Dec 1, 2014, at 5:25 AM, Livingood, Jason =
<Jason_Livingood@cable.comcast.com> wrote:
>=20
> On 11/29/14, 3:17 PM, "John Levine" <johnl@iecc.com> wrote:
>=20
>> PS: I know enough technical people at Comcast that I would be
>> extremely surprised if it were Comcast doing this. There's plenty =
not to
>> like about the corporation, but the technical staff are quite =
competent.
>=20
> Thanks, John! I can tell folks here unequivocally that (1) the recent
> press article on STARTTLS re-writing did *not* involve Comcast and (2)
> Comcast does not engage in the claimed practice. In fact, we=C4=85re =
supporters
> and early deployers of STARTTLS on our own mail service.
>=20
> I do not know how to explain the issue reported on this list. Absent a
> packet capture it is impossible for me to analyze this further. If
> anything, I could only imagine it was a misconfiguration someplace, =
but I
> have no idea where or in what network element that=C4=85d even be =
possible. I=C4=85m
> happy to work with anyone that has more info to try to troubleshoot =
this.
>=20
> - Jason Livingood
> Comcast
I have encountered similar issues on some hotel networks.
Usually, a well meaning, but severely misinformed hotel administrator =
decides that:
1. People don=E2=80=99t know what they=E2=80=99re doing and =
configure they=E2=80=99re laptops to use their [corporate|home|usual]
mailserver even when they=E2=80=99re on the road, often without =
authentication.
2. Debugging people=E2=80=99s laptops for them takes a lot of time =
and reduces customer satisfaction.
so
3. Let=E2=80=99s just redirect all port 25/587 to our own local =
SMTP proxy which can=E2=80=99t possibly support TLS
because we don=E2=80=99t have all the right certificates (nor =
should we), so it won=E2=80=99t announce the STARTLES
capability.
I don=E2=80=99t know if that=E2=80=99s what happened in this case, =
because, as you say, without first-hand information and
packet-captures, it=E2=80=99s impossible to tell, but I will say that if =
you intend to use TLS, make sure your MUA
REQUIRES TLS, rather than preferring TLS when available (as is default =
on many MUAs, unfortunately).
Owen
