Community discussions

 
risk
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 57
Joined: Mon Apr 18, 2016 2:16 pm

/tool e-mail send start-tls seems insecurable, need advice.

Thu Jan 03, 2019 11:44 pm

I'd like to be able to email a config backup securely without using a vpn. I was hoping to use TLS but I'm not sure how it's intended to be used.

It seems like there's no way to have routeros require the email smtp server to use `STARTTLS`
/tool e-mail send from=some_sender to=some_receiver start-tls=yes server=some_server port=some_port user=some_user password=some_pass file=some_file
- setting 'start-tls=no' will not attempt STARTTLS
- setting 'start-tls=tls-only' will connect and immediately start talking tls with a client hello (ie. it won't really use STARTTLS command, it'll just start talking TLS straight away).
- setting 'start-tls=yes' will only attempt STARTTLS if the server advertises it in an extension, but will be happy to send a message unencrypted.

There's seems to be no way to have the mikrotik as a client require an upgrade using STARTTLS.

---

Also, it seems like using any self-signed cert is fine is fine with STARTTLS - how are certificates meant to be checked with e-mail? unlike the `/tool fetch` there's apparently no check-certificates option for email.
 
User avatar
sebastia
Forum Guru
Forum Guru
Posts: 1292
Joined: Tue Oct 12, 2010 3:23 am
Location: Antwerp, BE

Re: /tool e-mail send start-tls seems insecurable, need advice.

Fri Jan 04, 2019 12:10 am

and if you encrypt the backup itself? and transmit it in the clear ...
/system backup save password=
 
risk
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 57
Joined: Mon Apr 18, 2016 2:16 pm

Re: /tool e-mail send start-tls seems insecurable, need advice.

Fri Jan 04, 2019 12:52 am

I was really hoping to check the config as text into my git, and maybe use it as a foundation for a restore script, maybe reuse parts across similar devices

also, this would mean I can't effectively secure the server side ; because the client will send the credentials to anyone/anything it connects to, and they can later re-use the user/pass to impersonate the client

is there a way to encrypt an export file in some simple way; (or hash it and encrypt it effectively just sign it)?
 
risk
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 57
Joined: Mon Apr 18, 2016 2:16 pm

Re: /tool e-mail send start-tls seems insecurable, need advice.

Thu Jan 10, 2019 12:26 am

I asked support. They confirmed there's no way for the router to verify the TLS cert when sending email - maybe in the future.

Who is online

Users browsing this forum: Bing [Bot] and 18 guests