2013-11-05

Yesterday I wrote about the the information leak at the Railjet Wifi. Today I’m traveling back to Tirol again with a Railjet and I found something other disturbing. I believe its even more problematic as it concerns the mail system. I used a openssl client to check various SSL and TLS connections to my servers, and when I called following:

$ openssl s_client -connect smtp.xxx.at:25 -starttls smtp

I got something I didn’t expect:

CONNECTED(00000003)

didn't found starttls in server response, try anyway...

Hey, my server does not support STARTTLS? I’m sure it does. I did a SSH to a server of mine and checked typed the same command and got my server certificate complete with chain. So something is not right here. I switched to Wireshark (which is running all the time … Ok, I launched it ) and looked at the traffic:

server: 220 profinet.at SurgeSMTP (Version 6.3c2-2) http://surgemail.com

client: EHLO openssl.client.net

server: 250-profinet.at. Hello openssl.client.net (194.112.182.213)

server: 250-AUTH LOGIN PLAIN

server: 250-ETRN

server: 250-X-ID 5043455352563431333833323030373135

server: 250-SIZE 50000000

server: 250 HELP

client: STARTTLS

server: 500 Sorry SSL/TLS not allowed from (194.112.182.213)

Hey? Thats not my mail server. Its not my IP address and its sure not the mail server software I use. WTF?

Someone is intercepting my SMTP traffic and if my mail clients would use the default setting (use TLS if possible) I would now send my login data (which is for most people the same as for fetching mails) in the clear over an unprotected WiFi. Block port 25 if you have fear of spammers, but don’t force unencrypted traffic over a open wifi.

Anyway whats that profinet.at stuff …. can’t be profi as in professionals. The Whois tells following:

Domaininhaber:

Organisationsname:       OeBB Telekom Service GmbH

Strasse:         Bruenner Strasse 20

PLZ:     1210

Stadt:   Wien

Land:    AT

Ok, thats the OeBB by itself. Real experts.

So keep an eye on your SMTP/IMAP configuration and make sure you’re forcing TLS/SSL otherwise someone in the same train is seeing your data.

Show more