Hi Adam,
On 18/06/15 16:40, Adam Pritchard wrote:
I'm currently the maintainer of GetTor [1], and together with Nima and Sukhbir we have been talking about the future of it.
If this conversation moves elsewhere, I would really like to be kept in the loop.
Good, I'll create a wiki page to keep track of the discussion and ideas (I'll post it later to this thread).
I'm the primary maintainer of Psiphon's email auto-responder, which was initially modeled on Tor's approach. Psiphon is, obviously, also extremely interested in robust ways of making our tools available in censoring regions. (So, Satori, etc., are also interesting.)
Great, I've heard of Psiphon before, and I'm sure both projects could benefit from working on new/better ways to expand the autoresponder service.
Relatedly...
When doing Logjam, etc., testing on our responder I found testssl.sh[1] to be a handy tool. Used like so: ./testssl.sh --mx torproject.org
CheckTLS[2] is also good for actually doing email send and receive tests.
Oh, nice! Although for some reason ./testssl.sh --mx torproject.org does not work for me, it says torproject.org has no mx records.
We're currently struggling a bit with just how hardcore we can be in securing our server communications. Right now Postfix is configured[3] to only connect out using TLS and only accept incoming TLS connections from servers with a verifiable cert. That seems reasonable, except... we're getting complaints that Chinese mail services don't meet those criteria, and Chinese users can't/won't/don't use Gmail/Hotmail/Yahoo.
...As an example of the sort of shared hurdles we might encounter.
Yeah, our current approach is to get to many people as possible (that's why, for example, we don't do DKIM verification). Maybe we can share experiences about it. Do you have a list of those services?
Anyway, I'll be taking a look at Psiphon's code :)
Thanks, --ilv