Found out this afternoon that the email gurus at the local institution where I have an account don’t understand or don’t care about security: asked why, after a maintenance outage, I was unable to read email and an insider sent me a new server name I could use but told me that imap is going away as it doesn’t support encryption, sends passwords in the clear.
Really?
[/Users/paul]:: openssl s_client -connect mail:993
CONNECTED(00000003)
[ handshaking omitted ]
SSL handshake has read 1272 bytes and written 328 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID: B448E7A7B703C73C57BC7FA7E8D4E30F8B67DC76E4868C17C16AC2E48B88C642
Session-ID-ctx:
Master-Key: 076960369DEDC2E9A2B8BC70D2FF070277D1E440CB2B5D1B0F5AA3770B48BB115FF61DDDF81E39CA23387186C0510F38
Key-Arg : None
Start Time: 1310532030
Timeout : 300 (sec)
Verify return code: 18 (self signed certificate)
---
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE AUTH=PLAIN AUTH=LOGIN] Dovecot ready.Hmm, that seems to work.
openssl s_client -connect some.email.host:993
connect: Operation timed out
connect:errno=60
That doesn’t look like they’re listening on that port.
openssl s_client -connect some.email.host:143
CONNECTED(00000003)
49016:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:/SourceCache/OpenSSL098/OpenSSL098-35.1/src/ssl/s23_clnt.c:607:
So no SSL on the server.
Huh. If I was going to hazard a guess here, I would say that it’s not that imap is busted or insecure but that someone’s doing it wrong. When I pointed out that imap wasn’t to blame, it turns out that they did try requiring SSL 4 years ago but when it turned out that a lot of the user base didn’t have client software to support it, they turned it off. That’s actually worse: to know that the security of your communications is no better than the worst email client out there, with no standards or requirements, would be a fireable offense in some workplaces.
The idea that the South commemorates/venerates the Civil War is not new but the analysis here — that the decision to focus on manual agriculture, rather than do anything that might add value or elevate the status of slaves or freedmen — was right to the point. It’s understood that the North prevailed due to its industrial base, a key asset to the warfare of the time, but I hadn’t considered that there were decisions made beyond the simplest market analysis.
[From Freakonomics » Why Does the South Still Commemorate the Civil War, But Not the North? Bring Your Questions for Historian Peter Coclanis]
Monday, February 14, 2011
None of the allegedly automatic methods actually, you know, work. Automatically, that is. So I hacked this together. It grabs the last-known address and the actual dynamic address then compares them. If in sync, it exits: if not, it sends update requests. Not sure what interval to run it on but I guess I’ll just pick one and crank it up or down until I see minimal disruptions in service; ie notes to the logfile that the addresses got out of sync.
#!/usr/local/bin/bash
export THEN=`dnsip mail.thistledew.org` # hostname you're monitoring
#export THEN=`nslookup ${HOME} | tail -1 | awk -F" " '{ print $3 }'` # alternate method w/o djbdns
export NOW=`http://wget -qO- icanhazip.com` # what the internet thinks your address is
if [ ${NOW} != ${THEN} ]; then
# echo "ping";
logger "ip addresses out of sync: updating"
/usr/local/bin/update-afraidns.sh # your various update methods go here
/usr/local/bin/dyndns.sh > /dev/null 2>&1
else
# echo "pong";
exit 0
fi
Update: at the month mark, this seems to be working. I get notified when it needs to sync addresses (usually at just past 4AM) and it’s not too often. It runs every 5 minutes (not sure when I changed it to that: used to be once per hour but that seemed miss some of the IP address fluctuations). I could use some of the other client software I see (OpenDNS recommends one but I never got on with it) but this seems to work. Just enough to get the job done, not enough to be truly useful anywhere else, except as a model of how not to do it, perhaps.
Update, July 5, 2011: If I had thought this through, I would have tested the DNS servers I use more carefully. Turns out one of the four, between two providers, was constantly flaky.
$ host mail.thistledew.org ns1.afraid.org
mail.thistledew.org has address 174.21.112.113
$ host mail.thistledew.org ns3.afraid.org
mail.thistledew.org has address 174.21.112.113
$ host mail.thistledew.org ns9.zoneedit.com
mail.thistledew.org has address 174.21.112.113
$ host mail.thistledew.org ns15.zoneedit.com
mail.thistledew.org has address 174.21.122.16
Someone got voted off the island.
Filed in Uncategorized
|
|