No subject


Tue Jul 23 12:40:59 CEST 2013


And apparently this only escalated because we failed to address it in private,
during support, which he claims did not respond to him:

https://twitter.com/JaimeChanaga/status/513373242456014849
https://twitter.com/JaimeChanaga/status/513375006190239744

That's not cool, at all.

He also states that Qualys is irrelevant as response, because it never tests
SMTP ports, see end of this conversation:

https://twitter.com/JaimeChanaga/status/513375645364387840

This reputational risk is still severe, and live.

We need a public page on the kind of settings we're using for what, and why.

So likely an explanation of the kind:

 SMTP -> only incoming, fairly liberal because any encryption is better than
none
 SUBMISSION -> user mail transport, using only strong cyphers: [details]
 HTTP -> never used
 HTTPS -> strongest setup, following these principles: [details]

HSTS & Co as general principles.

Also, any improvement to this setup would be always good, as per
https://issues.kolab.org/show_bug.cgi?id=3209#c0 guidelines and such.

But keep in mind that these are different applications, protocols, ports.

So we need a per-protocol policy explanation and configuration background, also
for ourselves. With a public version that explains how this is the best
possible at the moment.

And meanwhile I'll look into getting ourselves a better cert with SHA256, for
that's obviously needed. I'll likely be looking at an organisational verified
cert, and am thinking to up the "Swissness" of things for marketing purposes,
and because of https://mykolab.com/faq#comdomain

So *.mykolab.ch seems like what we want.

Which means we will need to update our configuration a bit, and need to think
how to handle the transition from .com to .ch.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

--1411291335.0DA0Cd1.24646
Date: Sun, 21 Sep 2014 11:22:15 +0200
MIME-Version: 1.0
Content-Type: text/html; charset="UTF-8"

<html>
    <head>
      <base href="https://issues.kolab.org/" />
    </head>
    <body><span class="vcard"><a class="email" href="mailto:greve&#64;kolabsys.com" title="Greve, Georg &lt;greve&#64;kolabsys.com&gt;"> <span class="fn">Greve, Georg</span></a>
</span> changed
              <a class="bz_bug_link 
          bz_status_ASSIGNED "
   title="ASSIGNED --- - Improve SMTP/IMAP/HTTP encryption settings to pass starttls.info"
   href="https://issues.kolab.org/show_bug.cgi?id=3209">bug 3209</a>
        <br>
             <table border="1" cellspacing="0" cellpadding="8">
          <tr>
            <th>What</th>
            <th>Removed</th>
            <th>Added</th>
          </tr>

         <tr>
           <td style="text-align:right;">Severity</td>
           <td>normal
           </td>
           <td>critical
           </td>
         </tr></table>
      <p>
        <div>
            <b><a class="bz_bug_link 
          bz_status_ASSIGNED "
   title="ASSIGNED --- - Improve SMTP/IMAP/HTTP encryption settings to pass starttls.info"
   href="https://issues.kolab.org/show_bug.cgi?id=3209#c8">Comment # 8</a>
              on <a class="bz_bug_link 
          bz_status_ASSIGNED "
   title="ASSIGNED --- - Improve SMTP/IMAP/HTTP encryption settings to pass starttls.info"
   href="https://issues.kolab.org/show_bug.cgi?id=3209">bug 3209</a>
              from <span class="vcard"><a class="email" href="mailto:greve&#64;kolabsys.com" title="Greve, Georg &lt;greve&#64;kolabsys.com&gt;"> <span class="fn">Greve, Georg</span></a>
</span></b>
        <pre>We just had another public calling out on the issue.



More information about the websites-team mailing list