On 05/29/2014 07:12 PM, Brian Smith wrote:
On Thu, May 29, 2014 at 2:03 PM, Andrew Sutherland <
asutherl...@asutherland.org> wrote:
It seems like you would be able to answer this as part of the scan of the
internet, by trying to retrieve the self-hosted autoconfig file if it is
available. I suspect you will find that almost nobody is self-hosting it.
I agree with your premise that the number of people self-hosting
autoconfig entries is so low as to not be a concern other than not
breaking them and allowing that to be an override mechanism for the ISPDB.
Also, https://scans.io/ has a number of useful internet scans we can use
already, so I don't think we need to do the scan ourselves for our first
round. While the port 993/995 scans at https://scans.io/study/sonar.cio
are somewhat out-of-date (2013-03-30), the DNS dumps and port 443 scans
are modern and should be sufficient to achieve a fairly comprehensive
database. Especially if we make the simplifying assumption that all
relevant mail servers have been operational at the same domain name
since at least then. (Obviously the IP addresses may have changed so
we'll need to use a reverse DNS dump from the appropriate time period.)
Autopopulating all the autoconfig information is a lot of work, I'm sure.
But, it should be possible to create good heuristics for deciding whether
to accept certs issued by untrusted issuers in an email app. For example,
if you don't have the (full) autoconfig data for an MX server, you could
try creating an SMTP connection to the server(s) indicated in the MX
records and then use STARTTLS to switch to TLS. If you successfully
validate the certificate from that SMTP server, then assume that the
IMAP/POP/LDAP/etc. servers use valid certificates too, even if you don't
know what those servers are.
Very interesting idea on this! Thanks!
Andrew
_______________________________________________
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform
