ietf-smtp
[Top] [All Lists]

Re: [ietf-smtp] SMTP Over TLS on Port 26 - Implicit TLS Proposal

2019-01-07 04:23:58

Wouldn't it be simpler to let implementations try 465/tcp first and fall
back to 25/tcp, or use SRV records ?


MX Records are equivalent to SRV records. Refer section 3 of this document.
https://tools.ietf.org/id/draft-ietf-dane-srv-05.html#rfc.section.3
If we are gonna use SRV record to deal with mail related stuffs, then it
beats the purpose of having MX record.

Trillions of mails sent every year. Why do we have to waste trillion of
requests every year in trying for 465 when the signalling step can be
embedded in the mx host name?

Can you give me a good reason, not to go for my solution?
On Mon, Jan 7, 2019 at 2:28 PM Gilles Chehade <gilles(_at_)poolp(_dot_)org> 
wrote:

On Mon, Jan 07, 2019 at 01:55:27PM +0530, Viruthagiri Thirumavalavan wrote:
Hello Everyone,


Hello,


I have proposal for SMTPS. Already gathered some feedback from UTA
working
group and improved my draft.

My proposal is a very simple document. So, please go though it and give
me feedback if you can.

Here is my abstract.

---------
SMTP is still suffering from downgrade attacks like STRIPTLS. While we
have
"Opportunistic TLS", we still don't have "Implicit TLS" in the SMTP.
Don't
get me wrong. We do have "Implicit TLS" for "SMTP Submission" on port
465.
But we don't have a secure port 25 alternative. i.e. The real SMTPS


465/tcp was already SMTPS, not Implicit TLS.


Both MTA-STS and MTA-DANE tries to fix the STARTTLS downgrade issue.
However the implementation is not simple. The former requires a HTTPS
server and the latter requires DNSSEC.


Agreed


This document propose a new port 26, an "Implicit TLS" alternative for
port
25 and recommends the MX server to signal the port via a prefix.

e.g. mx1.example.com should be prefixed like smtps-mx1.example.com.

Where "smtps-" says "We prefer if you connect to our SMTPS in port 26.
But
we also accept mails in port 25. And our port 25 supports Opportunistic
TLS. So if STARTTLS command not found in the EHLO response or certificate
is invalid, then drop the connection".


Wouldn't it be simpler to let implementations try 465/tcp first and fall
back to 25/tcp, or use SRV records ?

--
Gilles Chehade                                                 @poolpOrg

https://www.poolp.org                 tip me: https://paypal.me/poolpOrg



-- 
Best Regards,

Viruthagiri Thirumavalavan
Dombox, Inc.
_______________________________________________
ietf-smtp mailing list
ietf-smtp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf-smtp