[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Default Exit Policy

To: or-talk@xxxxxxxxxxxxx
Subject: Re: Default Exit Policy
From: Bill Weiss <houdini+tor@xxxxxxxxxxxx>
Date: Sun, 25 May 2008 11:24:31 -0600
Delivered-to: archiver@xxxxxxxx
Delivered-to: or-talk-outgoing@xxxxxxxx
Delivered-to: or-talk@xxxxxxxx
Delivery-date: Sun, 25 May 2008 13:24:40 -0400
In-reply-to: <200805222359.35131.njdube@xxxxxxxxx>
Mail-followup-to: or-talk@xxxxxxxxxxxxx
References: <200805222359.35131.njdube@xxxxxxxxx>
Reply-to: or-talk@xxxxxxxxxxxxx
Sender: owner-or-talk@xxxxxxxxxxxxx
User-agent: Mutt/1.5.16 (2007-06-09)

Nathaniel Dube(njdube@xxxxxxxxx)@Thu, May 22, 2008 at 11:59:28PM -0500:
> The only part of that I have in my config file is [accept *:*].  Is the rest 
> some kind of defaults?  I noticed one of the defaults is [reject *:587] which 
> I'm wondering why that would be in the defaults.  That ports is used for 
> sending secure email.  Port 25 I can understand but 587?!  I use that port 
> for gmail.  I have two gmail accounts.  One is this one which is tied to my 
> real name.  The other isn't and I use with Thunderbird and the torbutton 
> addon.  I've noticed that sometimes I can't send email and sometimes I can.  
> It all depends on the current circuit.  After seeing the defaults exit policy 
> I can see why I've been having the issues with my email.
> 
> The point of this email?!  I wish to understand the rational of having the 
> defaults block ports used for secure encrypted protocoles.

I ran into a problem with this somewhat recently.

I blew away the default reject list on my node and made a fairly lengthy
one in its place.  As part of that, I allow 587, because it's supposed to
be authenticated, right?  It turns out that a lot of sites out there treat
587 just like 25: optional authentication, optional encryption, maybe some
relaying, whatever.  Thus, allowing 587 through Tor causes some
complaints.  I've still got it open, but every time someone complains I
consider turning it off.

Interesting, there's no RFC standard that says that 587 will authenticate
or encrypt.  The closest you will get is RFC 5068, a best practice, which
says:

     Submission Authentication:

         MSAs MUST perform authentication on the identity asserted during
         all mail transactions on the SUBMISSION port, even for a message
         having a RCPT TO address that would not cause the message to be
         relayed outside of the local administrative domain.

None of the actual standards have a MUST for this.

I'd been meaning to email the list and ask if anyone else was having
problems relaying 587.  So, anyone else? :)

-- 
Bill Weiss

Follow-Ups:
- Re: Default Exit Policy
  - From: F. Fox

References:
- Default Exit Policy
  - From: Nathaniel Dube

Prev by Author: a serious TOR adversary?
Next by Author: hidden service maps
Previous by thread: Re: Default Exit Policy
Next by thread: Re: Default Exit Policy
Index(es):
- Author
- Thread