Transparent hijacking of SMTP submission...

Christopher Morrow morrowc.lists at gmail.com
Sat Nov 29 18:46:05 UTC 2014


backing up a bit in the conversation, perhaps this is just in some
regions of comcastlandia? I don't see this in Northern Virginia...

$ openssl s_client -starttls smtp  -connect my-mailserver.net:587
CONNECTED(00000003)
depth=0 description = kVjtrCL8rUdvd00q, C = US, CN =
my-mailserver.net, emailAddress = my-emailaddrss.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 description = kVjtrCL8rUdvd00q, C = US, CN = my-mailsever.net,
emailAddress = my-emailaddress.com
verify error:num=27:certificate not trusted
verify return:1
depth=0 description = kVjtrCL8rUdvd00q, C = US, CN =
my-mailserver.net, emailAddress = my-emailaddress.com
verify error:num=21:unable to verify the first certificate
verify return:1

...

Certificate chain
 0 s:/description=kVjtrCL8rUdvd00q/C=US/CN=my-mailserver.net/emailAddress=y-emailaddress.com
   i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate
Signing/CN=StartCom Class 1 Primary Intermediate Server CA

...

New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: FC3E47AF2A2A96BF6DE6E11F96B02A0C41A6542864271F2901F09594DE9A48FA
    Session-ID-ctx:
    Master-Key:
BE7FB76EF5C0A9BA507B175026F73E67080D6442201FDF28F536FA38197A9B1353D644EEAF8D0D264328F94B2EF5742C
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1417286582
    Timeout   : 300 (sec)
    Verify return code: 21 (unable to verify the first certificate)
---
250 DSN
ehlo me
250-my-mailserver.net
250-PIPELINING


On Sat, Nov 29, 2014 at 12:26 PM, Jean-Francois Mezei
<jfmezei_nanog at vaxination.ca> wrote:
> On 14-11-29 11:07, Sander Steffann wrote:
>
>> I am so glad that our Dutch net neutrality laws state that "providers of Internet access services may not hinder or delay any services or applications on the Internet" (unless [...], but those exceptions make sense)
>
>
> However, in the case of SMTP, due to the amount of spam, most ISPs break
> "network neutrality" by blocking outbound port 25 for instance, and
> their SMTP servers will block much incoming emails (spam).  However,
> SMTP is a layer or two above the network. But blocking port 25 is at the
> network level.
>
> I have seen wi-fi systems where you ask to connect to 20.21.22.23 port
> 25, and you get connected to 50.51.52.53 port 25. (the ISPs own SMTP
> server).  I would rather they just block it than redirect you without
> warning to an SMTP server of their own where they can look and your
> outbound email, pretend to acccept it, and never deliver it.
>
>
>


More information about the NANOG mailing list