Re: [tor-dev] The future of GetTor

[Adam Pritchard <a.pritchard@xxxxxxxxxx>]

Oh, nice! Although for some reason ./testssl.sh --mx torproject.org does
not work for me, it says torproject.org has no mx records.

Weird. I just ran it and put the output into a gist -- pretty[1], plain[2]. And the CheckTLS sender test[3], for good measure.

Â

Yeah, our current approach is to get to many people as possible (that's
why, for example, we don't do DKIM verification).

We don't do DKIM/SPF verification either. I don't think the decision was with the rationale "to get to as many people as possible", though. More like, "kind of a hassle and doesn't gain us much". We limit the number of responses to a single address to 3 per day, so if an attacker is faking a From address there's only so much damage they can do... to a single target. I guess a bigger threat is an attacker causing us to spam all over the place, hurting our mail server's reputation. (Well. I guess now I have to reconsider checking DKIM/SPF.)

Â

Maybe we can share
experiences about it. Do you have a list of those services?

Not a comprehensive list, but here's a start...

Email services that play nice with strong TLS client/server reqs:

* Gmail

* Yahoo (but maybe not some of the regional ones? Like yahoo.de?)

* Hotmail/Outlook.com

* qq.com (Chinese email service)

Email services that do *not*:

* sina.cn, sina.net, sina.com.cn, sina.com (Chinese)

* 163.com (Chinese)

* tom.com (Chinese)

* 126.com (Chinese)

[1]:Âhttps://rawgit.com/adam-p/349d6753aa23fd359e67/raw/63c91716ffb3bc764b1b686b04fd239e1a69f11b/out.html

[2]:Âhttps://gist.githubusercontent.com/adam-p/349d6753aa23fd359e67/raw/cc95105ed0a647baf038ef30de0fe50b94589b44/out.txt

[3]:Âhttps://gist.githubusercontent.com/adam-p/349d6753aa23fd359e67/raw/f8ff6cbcd0f2b39f8b4960912161c6fb5b820f4e/checktls.com.txt

_______________________________________________
tor-dev mailing list
tor-dev@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev