Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

550 5.7.1 TLS required by recipient #757

Closed
ghost opened this issue Dec 28, 2020 · 7 comments
Closed

550 5.7.1 TLS required by recipient #757

ghost opened this issue Dec 28, 2020 · 7 comments
Labels
🐛 bug Something isn't working ✉️ email

Comments

@ghost
Copy link

ghost commented Dec 28, 2020

I sent test emails to myalias@relay.firefox.com by using four Japanese email services, but every email were undelivered.
One service returned the code 5.1.1 User Unknown and the other three services returned 550 5.7.1 TLS required by recipient.

If Firefox Relay requires senders to use TLS, it will be quite inconvenient in Japan. I'm getting a lot of emails marked as "red (no encryption)" in my Gmail client, and I don't know if it's related, but Firefox Relay is not able to receive emails from many Japanese web services.
@groovecoder groovecoder added 🐛 bug Something isn't working ✉️ email labels May 6, 2021
@tgckpg
Copy link

tgckpg commented Sep 25, 2021

+1 for this, some of our clients' mail server are still using plain transfer which we have no control over it.

@j1elo
Copy link

j1elo commented Oct 9, 2021

Some more feedback: Firefox Relay failed to relay an Activation Email when trying to register a new account in the Linux Mint Forum (https://forums.linuxmint.com/).

The site admin provided me with this feedback:

The forum tried sending you the activation email but it'd rejected by the Firefox relay with this message:

<{redacted}@relay.firefox.com>: host
    inbound-smtp.us-west-2.amazonaws.com[54.240.252.212] said: 550 5.7.1 TLS
    required by recipient (in reply to RCPT TO command)

This is a known issue of the Firefox relay: #757. I'll check but I think TLS is not under our control.

I've been using Firefox Relay successfully and with great results so far, so I'd like to take the chance and thank you very much to the team maintaining this service.

It would help a lot, for us technical users and especially for non-technical ones, if this issue could be ironed out (as the main problem this causes is that new registrations typically cannot confirm the email address because the email is not being relayed)

@groovecoder
Copy link
Member

I tried relaxing this requirement on my local setup and it works.

But, I'm also looking for a way that we can detect if the SMTP connection made to SES was over TLS. (And if it wasn't, we may want to add a warning-like indicator to say something like "This email may have been sent over an unencrypted channel.") Some articles[1] suggest that the Received header should contain TLS if it was used, but I'm not sure I'm seeing that consistently with SES Received values.

Still digging into this ...

@ghost
Copy link
Author

ghost commented Nov 19, 2021
edited by ghost
Loading

I want to test how much web-compat will improve when this problem is solved, so I retested my year old research.
Among 20 websites selected1 from SimilarWeb2 top websites ranking in Japan, I failed to sign up 9 websites.
When this issue is resolved in production, I will redo this test and compare the results.

1: The result of excluding websites that cannot be registered by email, global websites like google, duplicates, from the top 50.
2: Alexa's Top Sites in Japan includes many Chinese website, so I don't trust it.

SimilarWeb Global Rank (2021-11-19) Website Receive the confirmation email? TLS version in the header when using Gmail or ProtonMail
60, 231 docomo.ne.jp No None
43 amazon.co.jp Yes TLSv1.2
46 rakuten.co.jp Yes TLSv1
97 fc2.com Yes TLSv1.2
167, 254, 301, 396, 687 livedoor.com No None
150 auone.jp No None
93 pixiv.net Yes TLSv1.3
136 syosetu.com No None
234 ameba.jp Yes TLSv1.3
187 nicovideo.jp No None
257 goo.ne.jp No None
138 dmm.co.jp Yes TLSv1.2
349 5ch.net No None
377 itmedia.co.jp No None
445 gamewith.jp Yes TLSv1.2
323, 425 kakaku.com Yes TLSv1.2
276 cmoa.jp No None
565 nikkei.com Yes TLSv1.3
707 game8.jp Yes TLSv1.3
762 note.com Yes TLSv1.3

Email encryption in transit

Email providers Outbound email encryption Inbound email encryption
Gmail3 (World, 2021-08-31 - 2021-11-29) 90% 90%
IIJ4 (Japan, Oct. 2020) 69.6% 62.5%

3: https://transparencyreport.google.com/safer-email/overview
4: https://www.jpaawg.org/docs/event/2021ppap/saku_ppap_20210225.pdf

@groovecoder
Copy link
Member

Wow thanks for all that detailed info! We're working with AWS to see if we can get some indicator whether or not TLS was used to deliver the email to Relay.

@ghost
Copy link
Author

ghost commented Nov 25, 2021
edited by ghost
Loading

And if it wasn't, we may want to add a warning-like indicator to say something like "This email may have been sent over an unencrypted channel."

46 rakuten.co.jp Yes TLSv1

Just out of curiosity, how about the deprecated version of TLS? Should Relay also add another warning-like indicator if possible?

@groovecoder
Copy link
Member

Cleaning up old issues & tickets. This is done now. See https://github.com/mozilla/fx-private-relay/blob/main/docs/adr/0001-optional-tls-for-incoming-smtp.md#decision-outcome for details.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
🐛 bug Something isn't working ✉️ email
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@groovecoder @j1elo @tgckpg