[tor-dev] The future of GetTor

Adam Pritchard a.pritchard at psiphon.ca
Fri Jun 19 20:17:00 UTC 2015

> Oh, nice! Although for some reason ./testssl.sh --mx torproject.org does
> not work for me, it says torproject.org has no mx records.

Weird. I just ran it and put the output into a gist -- pretty[1], plain[2].
And the CheckTLS sender test[3], for good measure.

> Yeah, our current approach is to get to many people as possible (that's
> why, for example, we don't do DKIM verification).

We don't do DKIM/SPF verification either. I don't think the decision was
with the rationale "to get to as many people as possible", though. More
like, "kind of a hassle and doesn't gain us much". We limit the number of
responses to a single address to 3 per day, so if an attacker is faking a
>From address there's only so much damage they can do... to a single target.
I guess a bigger threat is an attacker causing us to spam all over the
place, hurting our mail server's reputation. (Well. I guess now I have to
reconsider checking DKIM/SPF.)

> Maybe we can share
> experiences about it. Do you have a list of those services?

Not a comprehensive list, but here's a start...

Email services that play nice with strong TLS client/server reqs:

* Gmail
* Yahoo (but maybe not some of the regional ones? Like yahoo.de?)
* Hotmail/Outlook.com
* qq.com (Chinese email service)

Email services that do *not*:

* sina.cn, sina.net, sina.com.cn, sina.com (Chinese)
* 163.com (Chinese)
* tom.com (Chinese)
* 126.com (Chinese)

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tor-dev/attachments/20150619/c1548cce/attachment.html>

More information about the tor-dev mailing list