From: Dave Crocker [mailto:dhc(_at_)dcrocker(_dot_)net]
Sent: Wednesday, January 15, 2003 2:25 PM
ned> The correct way to use TLS/SSL with SMTP is through the
use of the
ned> STARTTLS SMTP extension defined in RFC 3207.
1. common practise is common practise and we have registered
a number of protocols over TLS on alternate ports, including
IMAP and POP. So why not SMTP? Given that it is already
established practise, the concern over the supposed "damage"
of "encouraging" its use does not apply.
2. There is a very basic difference between changing a
protocol implementation, versus changing a port number
configuration. As a matter of purity, I entirely agree that
negotiation of a substrate mode is better done inline. I
think that promiscuous consumption of multiple port numbers
for the same application protocol is, at least, sloppy.
However there are some operational realities here and
operationally, it is much easier to get ops folks to run an
existing server on a new port than to run a revised server.
Ops folks are typically conservative about making software
upgrades. and they should be.
I seem to recall that port 465 used to be registered for SMTP over SSL
before RFC 3207, but that once the STARTTLS ID was moved to RFC status
the WG made a request to IANA to have that port deregistered. The idea
was to emphasize that the proper way to provide a secure layer was
through STARTTLS. I don't think we should back off that, regardless of
de facto usage.
-- jeff