Mastodawn

Colin Cogle

Jan 22, 2025

@mwl Running port 25 behind a residential IP is an instant block. I have everything running like clockwork behind a mid-sized hosting provider, but I'm always looking to improve things.

@colin @mwl I run my own on a vps but I wonder if it would be too shitty to run it at home and keep the VPs as a proxy with socat services?

@a @mwl @colin This is exactly what you want to do. And setup DANE for your domain, and outgoing DANE enforcement, so malicious party on the VPS side can't MITM you.

@dalias @mwl @colin I assume you have full control of the VPS . At least I di

@a @mwl @colin If the VPS isn't on your premises or locked in fail-closed tamper resistant enclosure at your colo, you don't have full control over it. Law enforcement can mandate hosting provider backdoor it, and there are plenty of cross-guest attacks in virtual hosting environments.

@dalias @mwl @colin true, but idk how DANE could alleviate those problems either.

@a @mwl @colin You don't run the mail server on the VPS, just proxy thru its IP. The TLS is terminated on your premises, so as always, if certificate is validated correctly (this is what you need DANE for; otherwise TLS on mail is opportunistic), MITM is impossible even if the attacker fully controls the VPS.

@dalias @mwl @colin I doubt the impossible words can be used here. I guess people with more evil imagination than me can think of ways to do so. Just a data point https://notes.valdikss.org.ru/jabber.ru-mitm/

Encrypted traffic interception on Hetzner and Linode targeting the largest Russian XMPP (Jabber) messaging service —

@a @mwl @colin That's exactly what I'm talking about. And with webpki, controlling the public IP lets attacker get forged certs unless you're using DNSSEC and CAA to forbid all but specific authorized cert issuance. But with DANE, control of the IP gets them nothing because the key is pinned.

@dalias @mwl @colin ...assuming you have full control of the DNS server I guess

@a @mwl @colin The DNS server doesn't have to be trusted either. Just the DS delegation records from the parent zone. If they're tampered with, that provides a paper trail of wrongdoing (compromised registrar).

@dalias @mwl @colin I guess I'll have to trust you on this one :-P I'm not an expert on security, but uttering words like "impossible" sound like a red flag to me. "Very hard"? sure though.

@a @mwl @colin Cryptographically impossible (assuming the cipher isn't broken which isn't a realistic threat).

Where compromises like the one you cited happen are by compromising one party in the cryptographic chain, not by breaking the crypto. With DANE the only parties who can potentially be compromised are your registrar, the TLD authority, and the DNS root.

Colin Cogle

@dalias @a @mwl I’m also “cheating” and using DANE to match the intermediate CA’s, not the public key of my cert. I should really fix that.