23 February 2014

Oddness with Apple iCloud SMTP with TLS - MITM?

Last Thursday, the 20th February, there was a planned migration of my ADSL service to another LLU provider.  Things went smoothly, but I noticed that my line sync rates were a little on the low-side, so I planned to email my ISP about it the following day, if the connection hadn't improved.

After returning home from work on Friday 21st, I determined that the sync rates were still below par, and with oodles of margin, proceeded to knock out an email asking someone to fiddle with something.  However, I was stumped by an unforeseen hurdle - Thunderbird (running on Linux) was unable to send an email through the configured SMTP server: smtp.mail.me.com, using TLS on port 587.

I then experimented with my iPhone 4S, and found that it could send emails via the same SMTP server on either my 3G service or when connected via my domestic wifi through the ADSL service of my ISP.  OK, I thought, it must be a Thunderbird configuration problem, but I found nothing wrong.  I then dropped my LAN connection on my Linux box and established a wifi connection, using my iPhone 4S as a hotspot, and found that Thunderbird was able to send emails OK with the same configuration via the cellular network.

I found this to be odd, something didn't make sense. I couldn't understand why using the cellular network for the SMTP connection would allow either the iOS or Thunderbird clients to work, but only the iOS client would succesfully send via SMTP with TLS over my ISPs network.  At this point I raised the issue with my ISP.

A shortwhile later, the ISP suggested that I should try and connect via SMTP on port 25.  Not wanting to actually make a clear-text authenticated connection with my actual account credentials, I decided to connect with telnet on port 25.

The results looked like this:

$ telnet smtp.mail.me.com 25
Trying 17.172.34.225...
Connected to smtp.mail.me.com.
Escape character is '^]'.
220 st11p00mm-asmtp002.mac.com -- Server ESMTP (Oracle Communications
Messaging Server 7u4-27.08(7.0.4.27.7) 64bit (built Aug 22 2013))

That seemed pretty normal, I vaguely recalled seeing that greeting before.  I tried again on port 587.  The results looked like this:

$ telnet smtp.mail.me.com 587
Trying 17.172.34.225...
Connected to smtp.mail.me.com.
Escape character is '^]'.

^]
telnet> quit
Connection closed.

This attempt was made using my ADSL connection for internet access.  Nothing happened after the connection was made, so I dropped the telnet connection, switched to using my iPhone's hotspot and tried the same thing. I got the same response on port 587 as I had previously on port 25:


$ telnet smtp.mail.me.com 587
Trying 17.172.34.225...
Connected to smtp.mail.me.com.
Escape character is '^]'.
220 st11p00mm-asmtp001.mac.com -- Server ESMTP (Oracle Communications
Messaging Server 7u4-27.08(7.0.4.27.7) 64bit (built Aug 22 2013))

Pretty strange huh?  The IP address was the same so It wouldn't seem that there was any DNS buggeration involved.

I made contact with my ISP again and reported my findings.  Within 20 minutes they responded, stating that they too had attempted to telnet to port 587 but met with the expected Oracle greeting.  By this time, I  had verified that the server answering on port 587 had indeed started to behave in the manner expected.

At this point I was a bit confused and slightly paranoid.  I mentioned to the ISP that this was all very fishy and that some kind of explanation would be appropriate.  It was at his point that I think they went home for the weekend, and I started to fiddle around with something else.  It was Saturday afternoon before I heard about the Apple SSL goto fail bug being patched on Friday.  The existence of that bug explains why my iPhone itself would have been happy sending email through my ADSL connection through a MITM to the STMP server on port 587, and why Thunderbird would not.

So what does this all mean? Was there a MITM attack going on?


No comments: