• Introducing WebPros Cloud - a fully managed infrastructure platform purpose-built to simplify the deployment of WebPros products !  WebPros Cloud enables you to easily deliver WebPros solutions — without the complexity of managing the infrastructure.
    Join the pilot program today!
  • Support for BIND DNS has been removed from Plesk for Windows due to security and maintenance risks.
    If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS.

Question About ports 465 and 587

websavers said:
I didn't say a MitM attack would require STARTTLS. I'm saying a MitM attack only works if there's no security on the connection at all and since Plesk requires STARTTLS on 587, the certificate validation would fail once STARTTLS was attempted to be negotiated (which occurs prior to authentication) unless either:

1. The user intentionally ignores the warning from the mail app, or
2. There's a malicious or hacked certifying authority that granted an SSL certificate to the MitM attacker that matches the hostname of the server (or the mail domain).

But these exceptions are identical for SSL/TLS over 465.

This means 587 with required STARTTLS before auth should be equally as secure as 465 with SSL/TLS.
Click to expand...
I think you have a fundamental misunderstanding how a MitM attack works.

In case of such an attack, the attacked user wants to contact the plesk server, but instead contacts the MitM server because someone managed to tweak DNS or routing or whatever.
Now why would that MitM server tell the user's client that it requires STARTTLS?
It won't. It will just ask the client to authenticate. So if the client has no setting to never send passwords unencrypted, it will happily give its credentials to the MitM server. Which can then contact the plesk server, use STARTTLS, log in using these credentials, and relay the data to the client so the user won't notice anything.
 
mow said:
I think you have a fundamental misunderstanding how a MitM attack works.

In case of such an attack, the attacked user wants to contact the plesk server, but instead contacts the MitM server because someone managed to tweak DNS or routing or whatever.
Now why would that MitM server tell the user's client that it requires STARTTLS?
It won't. It will just ask the client to authenticate. So if the client has no setting to never send passwords unencrypted, it will happily give its credentials to the MitM server. Which can then contact the plesk server, use STARTTLS, log in using these credentials, and relay the data to the client so the user won't notice anything.
Click to expand...

Thank you for the clarification!

My understanding is that most mail clients that have already negotiated with the server a previous time will assume the same connection settings and present an error if they don't work (unless the client has an 'automatically try other settings' option). Granted that isn't a guarantee, and doesn't cover the initial setup connection. Having said that if guides all indicate to use StartTLS, at least it's somewhat mitigated by that as well, yet I fully understand that not all users will necessarily obey that config, still resulting in lesser security than 465.
 
You must log in or register to reply here.

Similar threads

Z
Issue Blocked ports 25-587
Replies
1
Views
861
zihniates
Z
K
Question Cannot connect to SMTP server on localhost using tls (or ssl)
Replies
4
Views
518
Kroptokin
K
sergiomb
Resolved change smtp default port to 587 in autodiscover.xml
Replies
1
Views
2K
Kaspar
K
B
Issue Issue with Postfix over Port 465 - Delay in Email Delivery
Replies
1
Views
1K
defcon8
defcon8
S
Question Block 25 Port allow 587 port instead on Plesk
Replies
7
Views
3K
ChristophRo
ChristophRo
Back
Top