Mark R. Gamache's Random Blog: Godaddy Asks People NOT TO USE ITS HOSTED EMAIL and May Not Even Use It Themselves

Disclaimer, Godaddy made me angry with a billing issue. This is what caused me to look into the value I get from them. While my language may be angry and inflammatory, the facts are not disputable. I have informed them about their messed up SMTP TLS, but have not heard back.

Try to send a secure mail to Godaddy hosted addresses and they will return this message

Sample server certificate, do not use on production systems!

Maybe they are hosting customers’ mail on non-production systems. For additional irony, they are hosted in the domain, secureserver.net.

farmtomarketcreations.com. 3600 IN MX 0 smtp.secureserver.net.

farmtomarketcreations.com. 3600 IN MX 10 mailstore1.secureserver.net.

Even more irony!!!! Godaddy doesn’t even use their own hosting for email, they use Microsoft!

godaddy.com. 3600 IN MX 0 godaddy-com.mail.protection.outlook.com.

OK, so this could be that they just use MSs Cloud Anti-Spam and then relay the spam free mail into their systems, but I am dubious.

A quick word about SMTP and TLS. It is a great way to keep mail more secure because it does not require an end user to know anything or that it is even there. It just requires mildly qualified techs to configure their mail servers correctly. TLS, done right, will protect the message in transit from one mail system to the next.

Back to the hosting I pay for. While the MX records do not change for my hosting, the corresponding A records change a bit, and multiple tests against the same IP render different results, in terms of TLS support. It appears they use technologies like global traffic management, round robin DNS, and load balancers, and every host was configured by a different incompetent tech.

Their MX records for both names seem to correspond to the same 4 IPs

smtp.secureserver.net. 300 IN A 72.167.238.201

smtp.secureserver.net. 300 IN A 72.167.238.29

smtp.secureserver.net. 300 IN A 68.178.213.37

smtp.secureserver.net. 300 IN A 216.69.186.201

mailstore1.secureserver.net. 300 IN A 68.178.213.37

mailstore1.secureserver.net. 300 IN A 216.69.186.201

mailstore1.secureserver.net. 300 IN A 72.167.238.201

mailstore1.secureserver.net. 300 IN A 72.167.238.29

Here’s what CheckTLS shows me over a decent number of tests. Never a score above 68 and never once a valid SSL certificate. Of 18 tests, 2/3rds fail to even allow TLS.

So, let’s look at the hosts that do offer up SSL/TLS certificates. First, they send their Root certificate twice, adding to handshake time and size. The root and SSL certs are both 1024 bit. We already covered the clearly stated “Do not use”. The SSL certificate is good for 10 years? At least it is not expired. :-P Crazy… Finally, the subject common name on the SSL certificate doesn’t match any of their server names. I guess they can’t afford certificates… Wait, isn’t Godaddy an SSL cert provider?

Certificate 1 of 3 in chain:

Certificate:

Data:

Version: 3 (0x2)

Serial Number: 2 (0x2)

Signature Algorithm: sha1WithRSAEncryption

Issuer:

countryName = US

organizationName = Sample, Inc.

organizationalUnitName = IT Team

commonName = CA

Validity

Not Before: Nov 18 14:58:26 2010 GMT

Not After : Nov 15 14:58:26 2020 GMT

Subject:

countryName = US

organizationName = Sample, Inc.

organizationalUnitName = IT Team

commonName = Server

Subject Public Key Info:

Public Key Algorithm: rsaEncryption

Public-Key: (1024 bit)

Modulus:

00:f3:89:dd:43:f0:ad:84:1a:dd:f1:fd:2c:83:bd:

ae:01:17:d8:ab:4e:02:f4:7f:85:0a:ec:70:5e:8b:

19:69:78:6c:61:b8:82:5b:dd:e8:ea:48:23:6b:9f:

68:80:76:67:34:d3:94:e7:a4:54:38:bb:72:c7:ba:

da:cc:d6:cb:f8:6b:91:53:f2:be:44:61:9c:a0:64:

d1:02:e8:df:5b:95:7f:ae:e3:82:d1:e7:2a:96:eb:

53:9e:17:b3:f5:d9:d1:7a:ca:dd:74:1e:97:3a:44:

54:5d:02:54:8d:f0:7b:85:39:9f:e9:a3:f3:e7:20:

14:1d:58:c9:f9:0d:63:fc:d3

Exponent: 65537 (0x10001)

X509v3 extensions:

X509v3 Basic Constraints:

CA:FALSE

Netscape Comment:

Sample server certificate, do not use on production systems!

Netscape Cert Type:

SSL Server

X509v3 Extended Key Usage:

TLS Web Server Authentication

X509v3 Key Usage:

Digital Signature, Key Encipherment

Signature Algorithm: sha1WithRSAEncryption

38:d1:85:a8:51:8c:1b:04:a5:95:39:19:7c:6e:38:f6:e8:ef:

27:23:40:17:11:ba:bc:7a:0c:be:39:ee:f4:2b:8d:5c:5d:dd:

c4:ea:54:e1:d9:fd:7c:96:b2:a0:9b:67:cd:f9:06:ed:7e:02:

8a:96:fd:f6:4d:bf:64:22:17:a5:9b:e3:33:15:7e:fe:a7:30:

53:21:55:ba:20:c5:a6:19:50:f0:d2:44:e9:a9:1c:5a:37:20:

cb:26:15:da:73:ba:67:29:f3:1d:f2:69:97:31:26:92:04:f9:

6a:c3:ec:ff:6a:65:60:ef:78:54:44:7f:81:22:24:aa:e8:cd:

fa:6b

-----BEGIN CERTIFICATE-----

MIICkTCCAfqgAwIBAgIBAjANBgkqhkiG9w0BAQUFADBDMQswCQYDVQQGEwJVUzEV

MBMGA1UEChMMU2FtcGxlLCBJbmMuMRAwDgYDVQQLEwdJVCBUZWFtMQswCQYDVQQD

EwJDQTAeFw0xMDExMTgxNDU4MjZaFw0yMDExMTUxNDU4MjZaMEcxCzAJBgNVBAYT

AlVTMRUwEwYDVQQKEwxTYW1wbGUsIEluYy4xEDAOBgNVBAsTB0lUIFRlYW0xDzAN

BgNVBAMTBlNlcnZlcjCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA84ndQ/Ct

hBrd8f0sg72uARfYq04C9H+FCuxwXosZaXhsYbiCW93o6kgja59ogHZnNNOU56RU

OLtyx7razNbL+GuRU/K+RGGcoGTRAujfW5V/ruOC0ecqlutTnhez9dnResrddB6X

OkRUXQJUjfB7hTmf6aPz5yAUHVjJ+Q1j/NMCAwEAAaOBkDCBjTAJBgNVHRMEAjAA

MEsGCWCGSAGG+EIBDQQ+FjxTYW1wbGUgc2VydmVyIGNlcnRpZmljYXRlLCBkbyBu

b3QgdXNlIG9uIHByb2R1Y3Rpb24gc3lzdGVtcyEwEQYJYIZIAYb4QgEBBAQDAgZA

MBMGA1UdJQQMMAoGCCsGAQUFBwMBMAsGA1UdDwQEAwIFoDANBgkqhkiG9w0BAQUF

AAOBgQA40YWoUYwbBKWVORl8bjj26O8nI0AXEbq8egy+Oe70K41cXd3E6lTh2f18

lrKgm2fN+QbtfgKKlv32Tb9kIhelm+MzFX7+pzBTIVW6IMWmGVDw0kTpqRxaNyDL

JhXac7pnKfMd8mmXMSaSBPlqw+z/amVg73hURH+BIiSq6M36aw==

-----END CERTIFICATE-----

[003.724]

Certificate 2 of 3 in chain:

Certificate:

Data:

Version: 3 (0x2)

Serial Number:

92:69:45:90:f7:aa:ec:38

Signature Algorithm: sha1WithRSAEncryption

Issuer:

countryName = US

organizationName = Sample, Inc.

organizationalUnitName = IT Team

commonName = CA

Validity

Not Before: Nov 18 14:58:26 2010 GMT

Not After : Nov 15 14:58:26 2020 GMT

Subject:

countryName = US

organizationName = Sample, Inc.

organizationalUnitName = IT Team

commonName = CA

Subject Public Key Info:

Public Key Algorithm: rsaEncryption

Public-Key: (1024 bit)

Modulus:

00:b8:ed:8e:6f:80:6c:10:56:21:16:b9:53:a9:00:

95:b9:60:18:48:76:fd:a2:e4:b9:4c:21:03:d9:17:

0f:f7:09:ae:31:f6:1b:ee:3f:d9:d6:fe:53:70:84:

5b:df:63:7b:f4:a2:9d:34:4f:0e:55:33:e6:ee:a7:

4c:b9:43:0f:70:51:71:bc:ee:50:6c:fd:4e:41:f2:

4d:cf:9d:9c:94:a4:40:85:e9:27:74:08:78:fc:f6:

2e:e4:a9:d5:3e:8b:27:a9:ed:52:06:45:a5:76:a4:

2a:8d:2a:10:e9:31:6d:5a:6a:75:34:10:4c:85:9a:

5d:4d:43:3a:24:59:95:29:7f

Exponent: 65537 (0x10001)

X509v3 extensions:

X509v3 Basic Constraints:

CA:TRUE

Signature Algorithm: sha1WithRSAEncryption

a0:04:32:10:92:46:dd:bd:e4:c2:71:0a:b2:d5:5c:9c:1c:8c:

57:fa:3a:17:ed:aa:d9:28:09:f3:79:3b:18:d0:4d:e0:f8:6c:

96:a4:b0:52:f9:8a:cd:bc:cf:1c:79:2a:6e:97:4a:89:4e:bb:

f9:9b:0c:4c:e0:fe:a1:0f:53:7d:6b:04:3b:9b:05:1b:b7:37:

13:ae:9d:02:58:14:7f:cc:d5:be:26:55:4e:02:15:bb:ec:9f:

7d:b6:5e:fa:ea:c8:88:b1:b6:57:62:69:ba:c2:b1:d2:2f:a7:

99:24:90:eb:52:a5:58:20:22:83:33:2c:37:64:84:0e:e9:46:

90:53

-----BEGIN CERTIFICATE-----

MIICFDCCAX2gAwIBAgIJAJJpRZD3quw4MA0GCSqGSIb3DQEBBQUAMEMxCzAJBgNV

BAYTAlVTMRUwEwYDVQQKEwxTYW1wbGUsIEluYy4xEDAOBgNVBAsTB0lUIFRlYW0x

CzAJBgNVBAMTAkNBMB4XDTEwMTExODE0NTgyNloXDTIwMTExNTE0NTgyNlowQzEL

MAkGA1UEBhMCVVMxFTATBgNVBAoTDFNhbXBsZSwgSW5jLjEQMA4GA1UECxMHSVQg

VGVhbTELMAkGA1UEAxMCQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALjt

jm+AbBBWIRa5U6kAlblgGEh2/aLkuUwhA9kXD/cJrjH2G+4/2db+U3CEW99je/Si

nTRPDlUz5u6nTLlDD3BRcbzuUGz9TkHyTc+dnJSkQIXpJ3QIePz2LuSp1T6LJ6nt

UgZFpXakKo0qEOkxbVpqdTQQTIWaXU1DOiRZlSl/AgMBAAGjEDAOMAwGA1UdEwQF

MAMBAf8wDQYJKoZIhvcNAQEFBQADgYEAoAQyEJJG3b3kwnEKstVcnByMV/o6F+2q

2SgJ83k7GNBN4PhslqSwUvmKzbzPHHkqbpdKiU67+ZsMTOD+oQ9TfWsEO5sFG7c3

E66dAlgUf8zVviZVTgIVu+yffbZe+urIiLG2V2JpusKx0i+nmSSQ61KlWCAigzMs

N2SEDulGkFM=

-----END CERTIFICATE-----

[003.768]

Certificate 3 of 3 in chain: