fsebugoutzone.org:9999

       Post 9sdybLF0omh6OxXECu by unicornfarts@fosstodon.org
 (DIR) More posts by unicornfarts@fosstodon.org
 (DIR) Post #9sdY7vZ8bO1nZ4GJdY by codesections@fosstodon.org
       2020-03-03T17:22:00Z
       
       0 likes, 0 repeats
       
       Email/ #smtp question:The normal way people/clients access email is for the server to expose a port on the public Internet and for the client to authenticate to that port with a username/password.Is there any reason why the server couldn&#39;t expose the port on localhost, then have the client use SSH port forwarding (or maybe a VPN) to access that port?That way, you&#39;d secure access with public key cryptography instead of passwords.(I guess this wouldn&#39;t work for webmail, but still)
       
 (DIR) Post #9sdYsznuf5fgJtcJmq by TsRoe@fosstodon.org
       2020-03-03T17:30:13Z
       
       0 likes, 0 repeats
       
       @codesections What problem do you want to solve with this? The low entropy of passwords? You can solve that by using a stronger, more random password too. Or are you concerned about secrecy? Thats why we use TLS on via STARTTLS or on the dedicated port 465.
       
 (DIR) Post #9sdYzCGZEyl4hxyclM by TsRoe@fosstodon.org
       2020-03-03T17:30:57Z
       
       0 likes, 0 repeats
       
       @codesections What problem do you want to solve with this? The low entropy of passwords? You can solve that by using a stronger, more random password too. Or are you concerned about secrecy? Thats why we use TLS via STARTTLS or on the dedicated port 465.
       
 (DIR) Post #9sdbvYPLHDbY5D2H6e by codesections@fosstodon.org
       2020-03-03T18:04:33Z
       
       0 likes, 0 repeats
       
       @TsRoe &gt; What problem do you want to solve [by accessing an email server via SSH instead of authenticating with a password]?That&#39;s a very good question, and a productive way to frame it.  I don&#39;t have a *great* answer.But benefits of SSH auth include key rotation, per-key permissions, &quot;free&quot; support for 2FA, and automatic password-strength minimums.Basically, I&#39;d flip your question around: we *could* secure SSH with arbitrarily long passwords, but key auth is better.  Why not for email?
       
 (DIR) Post #9sdcI5TD23lqzkaaaO by Steinar@fosstodon.org
       2020-03-03T18:08:34Z
       
       0 likes, 0 repeats
       
       @codesections I&#39;ve done stuff like that for IRC (without TLS) and homebrew stuff. Quite frankly, PKI sucks, so why not?
       
 (DIR) Post #9sdgoFe78LRZddHZ8y by TsRoe@fosstodon.org
       2020-03-03T18:59:11Z
       
       0 likes, 0 repeats
       
       @codesections Reading your original post again, I see now that this already was kind of your question in the first place and I didn&#39;t answer it. Sorry.I guess my answer would be: &quot;I don&#39;t think there is any problem with it security-wise, it just seems kind of complicated.&quot; I think it would actually be quite elegant however to have a SMTP-server that doen&#39;t require auth at all, but only accepts signed mail. (Replay attacks might be a problem though)
       
 (DIR) Post #9sdtPsDRtRnBQQW39c by codesections@fosstodon.org
       2020-03-03T21:20:29Z
       
       0 likes, 0 repeats
       
       @sheogorath &gt; Yes, you can do that, but why expose your MTA to other local users? Basically every application could then send emails as soon as you SSH into your machine.  Using regular x509 client certificates or scripting your sendmail stuff to use the remote sendmail would be more secure since you wouldn&#39;t expose an unauthenticated port over localhost.I&#39;m not following.  Why would the port need to be unauthenticated just because it&#39;s forwarded via SSH?
       
 (DIR) Post #9sdyUYLrfv1b2IVFwG by codesections@fosstodon.org
       2020-03-03T22:17:26Z
       
       0 likes, 0 repeats
       
       @sheogorath Sorry, I wasn&#39;t very clear.  The context I had in mind was something like:A technical user runs an email server for themselves/a small handful of users.  The authorized_keys file on the server lets each user connect via SSH and set up port forwarding.  (Or something similar with a VPN; I haven&#39;t thought through the details).That way, accessing email is protected by asymmetric cryptography and breaches only occur for a user if their private key is compromised
       
 (DIR) Post #9sdybLF0omh6OxXECu by unicornfarts@fosstodon.org
       2020-03-03T22:18:38Z
       
       0 likes, 0 repeats
       
       @codesections Couldn&#39;t you just have the mail server deliver to local system users, then people would just ssh into their respective system accounts and read mail with mutt or something. lol at using system accounts as email recipients.
       
 (DIR) Post #9sdzUpKycfS9fcmZ60 by unicornfarts@fosstodon.org
       2020-03-03T22:22:48Z
       
       0 likes, 0 repeats
       
       @codesections That wouldn&#39;t be a decentralized solution. More like a digital P.O.Box than email.
       
 (DIR) Post #9sdzUpqWjMgrFTXlGy by codesections@fosstodon.org
       2020-03-03T22:28:41Z
       
       0 likes, 0 repeats
       
       @unicornfarts &gt; That wouldn&#39;t be a decentralized solution. More like a digital P.O.Box than email.Well, it wouldn&#39;t be any *more* centralized than the current system, would it?In either case, you have clients connecting to a server that (from the client&#39;s point of view) is a centralized hub/P.O. BoxHow (de)centralized the system as a whole is depends on how many servers there are.  If everyone runs their own server, it&#39;s fully decentralized; if everyone uses Gmail, it&#39;s fully centralized
       
 (DIR) Post #9sdzk6fGTzN9kmYdhA by unicornfarts@fosstodon.org
       2020-03-03T22:31:26Z
       
       0 likes, 0 repeats
       
       @codesections Good point.
       
 (DIR) Post #9sdzmDLGcwDL2hD1DE by unicornfarts@fosstodon.org
       2020-03-03T22:29:46Z
       
       0 likes, 0 repeats
       
       @codesections or better yet, have your clients pull their email files off the server automatically via rsync (which is over ssh). Kinda like setting up a mail reader, except with ssh.
       
 (DIR) Post #9sdzmDcdaM6nuZKtHs by codesections@fosstodon.org
       2020-03-03T22:31:52Z
       
       0 likes, 0 repeats
       
       @unicornfarts &gt; have your clients pull their email files off the server automatically via rsync (which is over ssh). Kinda like setting up a mail reader, except with ssh.That wouldn&#39;t handle sending though.  And if you&#39;ve got a system to handle sending separately, why not use that connection for pulling down messages too?
       
 (DIR) Post #9se050XyQHbIrT77GC by tfidf@fosstodon.org
       2020-03-03T22:34:58Z
       
       0 likes, 0 repeats
       
       @codesections you would allow every authenticated user to pretend being some other user because the SMTP server would not know anymore who is talking to it.
       
 (DIR) Post #9se0ARx7xMxdJ4TSkq by unicornfarts@fosstodon.org
       2020-03-03T22:36:07Z
       
       0 likes, 0 repeats
       
       @codesections ssh/mutt it is then! Schmutty Email.
       
 (DIR) Post #9sehDFODQ02JEyizmC by jpfox@m.g3l.org
       2020-03-04T06:38:36Z
       
       0 likes, 0 repeats
       
       @codesections be careful if postfix does not authenticate sender by itself, email header will specify it and your messages should be marked as spam by receiver server