
In a public library, in the USA, SMTP is MITM'd, and STARTTLS is filtered out - edward
https://identi.ca/joeyh/note/3b9ykedXTN2TWxeGUuzS3g
======
jlgaddis
Not that MITM'ing is okay (the library should simply block 25/TCP outbound
instead), but he really should be using 587/TCP (cf. RFC6409).

$10 says the library has a Cisco ASA firewall (probably installed by some
young tech at a local I.T. company) inspecting SMTP traffic (which it does by
default). If he would have issued "HELO/EHLO" (instead of "STARTTLS") we would
have been able to tell from the return response.

Anyways, if his mail client was configured to use 587/TCP and require
STARTTLS, the worst that would happen is that his client would refuse to
authenticate to the server (my SMTP servers, for example, do not advertise the
"AUTH" verb on 587/TCP until the connection is encrypted) and his credentials
wouldn't be compromised.

------
throwaway23053
Poor use of the term MITM. Is the device replacing certificates (public keys)
used to authenticate the mail server to the client? MITM'd typically refers to
an active TLS attack where server authentication public keys are substituted
allowing a MITM to terminate and reestablish a TLS session to a client. This
is just esmtp inspection.

~~~
nibbler
MITM has nothing to do with TLS. It just means that the attacker is talking to
both sides simultaniously, giving them the impression to be talking to each
other directly. Thus the attacker is able to read manipulate the traffic. This
can be used to hand out the attackers own certificates, but is in no way
limited to it. I'd call this attack as the library is doing it MITM.

