GNOME Bugzilla – Bug 764211
Outgoing mail not encrypted
Last modified: 2018-09-21 15:25:30 UTC
Google has started flagging mail sent in plain text over the wire, i.e., without transport layer encryption. Gnome mailing lists, notably gtk-devel, appear to be sent in cleartext. It's not particularly secret, but all mail really ought to be encrypted on the wire at this point in time. Suggestion: encrypt.
Gmail's red lock is there for two main reasons: 1. DKIM missing on the gnome.org domain 2. SMTP server used by the GNOME contributor not supporting TLS As of today the GNOME Infrastructure does not provide an SMTP server for relaying outbound e-mails, what we do is serving a set of aliases which a remote mail server can query. Once smtp.gnome.org has been queried, the e-mail the alias forwards to is returned, from there smtp.gnome.org effectively sends the e-mail. What happens for inbound e-mails: @gnome.org alias owner mail client - (TLS, if supported)> @gnome.org alias owner mail server - (TLS, if the local server requests it) -> smtp.gnome.org - (TLS, if supported by recipient's mail server)> recipient mail server What smtp.gnome.org didn't have before today: 1. Inbound TLS (mails between an external SMTP server and smtp.gnome.org weren't encrypted, ever). What we do now is instead supporting STARTTLS, it's then up to the external mail server to STARTTLS or not. 2. Outbound TLS (no SASL involved as we don't offer any SMTP relaying service) for e-mails that are sent from an external mail server to a @gnome.org mail alias. When the remote mail server reaches smtp.gnome.org, the aliases table is evaluated and from there smtp.gnome.org is able to STARTTLS if the remote mail server is configured to do so. For a certain set of domains we plan to encrypt e-mails by default, the list currently only includes gmail.com. If you have more suggestions please let us know. Why the red lock isn't going to disappear even after increasing smtp.gnome.org's security? As reported above we don't offer DKIM as @gnome.org alias owners do use their own SMTP servers as of today which prevents us to include DKIM signatures on the outgoing e-mails. Our mail server security has however been secured with the improvements listed above. Thanks for your report!
-- GitLab Migration Automatic Message -- This bug has been migrated to GNOME's GitLab instance and has been closed from further activity. You can subscribe and participate further through the new bug through this link to our GitLab instance: https://gitlab.gnome.org/Infrastructure/Infrastructure/issues/12.