On 07/01/2019 11:13, Gilles Chehade wrote:
don't know if they're good reasons but there's already 465/tcp for smtps
and I don't know what to think about tying protocol behavior to hostname
as it feels really hackish to me.
Note that port 465 is defined as for SMTPS for *submission*, so it's the
SMTPS version of 587, not the SMTPS version of 25.
I agree that using the hostname for this feels hackish. An SRV or TXT
record would seem more obvious.
I'm not sure of the advantage of implicit TLS over STARTTLS if downgrade
is prevented, and given that your MTA will have to still accept STARTTLS
& unencrypted connections for interoperability, it seems a bit
unnecessary here.
A simple TXT record saying "This domain's MTAs support STARTTLS (and,
possibly, optionally, this is the certificate fingerprint)" would seem
useful and not need anything else, and would protect against STARTTLS
downgrade for any sender willing to support it.
Obviously it would be vulnerable to DNS pollution, but so would the
original proposal.
--
Paul Smith Computer Services
Tel: 01484 855800
Vat No: GB 685 6987 53
Sign up for news & updates at http://www.pscs.co.uk/go/subscribe
_______________________________________________
ietf-smtp mailing list
ietf-smtp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf-smtp