Collaborate Disseminate
I encountered an open TCP/143 IMAP port which responded with this banner:
* OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE LITERAL+ STARTTLS AUTH=PLAIN AUTH=LOGIN AUTH=DIGEST-MD5 AUTH=CRAM-MD5] Dovecot ready.
From this I … Continue reading What does the IMAP banner alone show regarding security (STARTTLS, hashing, information disclosure)?
In setting up SMTP MTA Strict Transport Security (RFC 8461) for my domain, I’ve noticed some contradictory advice and practice: although the maximum value for the max_age policy value is around one year and the RFC states that "implem… Continue reading What are the risks of an MTA-STS policy with a long max_age?
This question has been asked and answered here, here, and also basically here. I’m asking again because the answers and information is conflicting.
LDAPS:
According to Wikipedia (and its RFC sources) LDAPS was LDAPv2, never standardized, a… Continue reading Is LDAPS or StartTLS more secure?
My goal was to send an email to a gmail address, like beta@gmail.com from a commandline tool such as netcat or telnet etc.
WHAT I TRIED:
I first tried netcat.
nc -C smtp.gmail.com 587
220 smtp.gmail.com ESMTP l35sm2846203wms.40 – gsmtp
EHL… Continue reading When sending email to Gmail address from netcat or openssl s_client, why do I get "Username and Password not accepted", despite correct credentials [migrated]
This article tells us that there are two types of STARTTLS: Opportunistic (i.e. optional STARTTLS) STARTTLS and Enforced STARTTLS, which works by the doctrine of "Encrypted connection or drop connection".
We can use checktls.com/… Continue reading How to check if a mail server is using Enforced-STARTTLS rather than Opportunistic-STARTTLS?
I am looking to set a third party application to authenticate with our domain. The application supports LDAPv3 and we have opted to use the start StartTLS extension to encrypt the credentials from the source host application towards the do… Continue reading LDAP StartTLS encryption – which TLS versions are supported?
I’m using ‘OpenConnect version v8.05’ on Red Hat Enterprise Linux 8.1 (Ootpa) in order to connect to a server.
The server only accepts SSLv3, TLSv1.0 ciphers and I don’t have access to the server for security update/upgrade.
When I try to … Continue reading Setting Min TLS version for OpenConnect client
What I want to do: Lock down the Tech Vlan so that only an approved device AND a user in the tech security group are allocated. I am hoping to achieve this via EAP-TTLS and Windows NPS whereby the machine provides the tunnel then the user … Continue reading Can EAP-TTLS provide the dual authentication I require?
When making a SASL/GSSAPI bind to an LDAP server over port 389 (ldap:///), after the authentication is finished is the resulting LDAP traffic encrypted? If so, is there a document or RFC that describes this?
Assume that no STARTLS comman… Continue reading Is traffic subsequent to a SASL/GSSAPI bind encrypted?
People are making a big fuss about how you absolutely have to disable SSLv3 because TLS can be downgraded to SSLv3 and there is barely a server left on the internet that speaks SSLv3.
At the same time, almost every mail serv… Continue reading Why is STARTTLS still used?