Closed Bug 1442994 Opened 6 years ago Closed 6 years ago

accounts@firefox.com sends with antique encryption (a59-51.smtp-out.us-west-2.amazonses.com [54.240.59.51])

Categories

(Cloud Services :: Server: Firefox Accounts, defect)

Product:
Cloud Services
Component:
Server: Firefox Accounts
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED INCOMPLETE

People

(Reporter: jan, Unassigned)

References

Details

(Keywords: nightly-community, Whiteboard: [fxa-waffle-ignore]) 

> From: Firefox Accounts <accounts@firefox.com>
> Subject: Neue Anmeldung bei Firefox =?UTF-8?Q?best=C3=A4tigen?=
(confirm new login)

> Received: from a59-51.smtp-out.us-west-2.amazonses.com (a59-51.smtp-out.us-west-2.amazonses.com [54.240.59.51])
>	(using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits))
>	(Client did not present a certificate)
>	by mx.h.terrax.net (Postfix) with ESMTPS id 3zvQBz3G7RzBhJx

* missing TLSv1.2 (e.g. with ECDHE-RSA-AES256-GCM-SHA384)
* missing client certificate (see also: bug 1439915)
* missing IPv6
* DKIM is rsa-sha256 (yay!)

https://docs.aws.amazon.com/ses/latest/DeveloperGuide/security.html
> Amazon SES to Receiver
> 
> Amazon SES sends messages over a TLS-protected connection (TLS version 1.0 only) by default.

So by default one should not use Amazon SES to send mail. :/
Blocks: tls-everything
Assignee: infra → nobody
Component: Infrastructure: Mail → Server: Firefox Accounts
Product: Infrastructure & Operations → Cloud Services
QA Contact: limed
Hi there, I'm one of the operators responsible for running Firefox Accounts

(In reply to Jan Andre Ikenmeyer [:darkspirit] from comment #0)
> https://docs.aws.amazon.com/ses/latest/DeveloperGuide/security.html
> > Amazon SES to Receiver
> > 
> > Amazon SES sends messages over a TLS-protected connection (TLS version 1.0 only) by default.
> 
> So by default one should not use Amazon SES to send mail. :/

Can you explain why Amazon SES only using TLS 1.0 means that we shouldn't be using it to send mail?
Far the most mail servers usually support TLS 1.2. The - I think - known sentence "use Gmail if you can't properly configure a mail server" hat its reasons. That problem of Amazon SES is embarrassing.

Why a mail server must support TLS 1.2:
* by corporate policy https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28default.29
* PCI TLS 1.0 deprecation date is 2018-06-30
* to not block german ISPs to disable legacy encryption at the end of June to guarantee state of the art protections required by law (§13 (7) Telemediengesetz)
* Authenticated encryption
* TLS 1.2 is 10 years old https://en.wikipedia.org/wiki/Transport_Layer_Security#TLS_1.2
* TLS 1.3 is coming this year
smtp.mozilla.org (mx2.scl3.mozilla.com) would be a good solution: see first quote in bug 1439915 comment 0
Hi there, we filed a support ticket with AWS regarding outbound email TLS 1.2 support for SES and got the following response:

> Our development team is already working to get SES outbound email to support TLS v1.2.
> I cannot provide you with an exact date when this will be available, but it is expected to be available before the deprecation of TLS 1.0 at the end of next June.
Thanks for reaching out to them! That sounds good.

Regarding comment 0: Could you also ask them if they're planning to catch up to Gmail's grade of quality by also using IPv6 and a client certificate?

To make it look like this:
> Received: from mail-wr0-x248.google.com (mail-wr0-x248.google.com [IPv6:2a00:1450:400c:c0c::248])
>	(using TLSv1.2 with cipher ECDHE-RSA-CHACHA20-POLY1305 (256/256 bits))
>	(Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK))
>	by modern-mx.h.terrax.net (Postfix) with ESMTPS id 3zmK0v4q5rzBWcx
That's useful for separating wheat from chaff.
Whiteboard: [fxa-waffle-ignore]
This issue lies with our service provider, and while I agree more modern TLS is much needed, there's nothing for us to do here. Closing this bug as INCOMPLETE.
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → INCOMPLETE
(In reply to Julien Vehent [:ulfr] from comment #7)
> This issue lies with our service provider, and while I agree more modern TLS is much needed, there's nothing for us to do here. Closing this bug as INCOMPLETE.

(I filed bug 1447328 because the page linked in bug 1445663 comment 4 asks for an exemplary scenario.)

Thanks for reading through this and taking this to your attention. :) I can understand that it would be hard with such a large mail volume and your uptime requirements to quickly switch away from an inferior third party mail provider back to your own - then slightly polished - mailservers. I will patiently wait and think about where I could further help. It is really a pleasure to witness the awesome impact of Mozilla's work and its aspiration to be the leading example.
In reply to the "abusive" tag:
When writing a sentence I have references in my mind which I often don't write down. I am sorry that I have been interpreted as rude because of omitting the context.
The quote in comment 2 is from some security talk on YouTube where people - aware of the pain to get to a good mailserver configuration - knowingly laughed about it. It should lower the barrier of this bug report because you trusted Amazon SES and for unknown reasons its configuration did not keep modern which felt a bit embarrassing to me keeping in mind that spammers often have a more modern configuration. At least the ones that get through. The punchline was that it is inferior to Gmail and your own mail servers, particularly highlighted with comment 3. That was an encouragement because you already have a solid in-house solution which is missing only a few features.
I am not sure why comment 2 was flagged as abusive. There's nothing of the sort there, so I lifted the flag. Sorry about that.
See Also: → 1448578
You need to log in before you can comment on or make changes to this bug.