I like Viruthagiri's proposal.
On Mon 07/Jan/2019 13:33:39 +0100 John C Klensin wrote:
A simple TXT record saying "This domain's MTAs support
STARTTLS (and, possibly, optionally, this is the certificate
fingerprint)" would seem useful and not need anything else,
and would protect against STARTTLS downgrade for any sender
willing to support it.
Obviously it would be vulnerable to DNS pollution, but so
would the original proposal.
Please see at least one of Burt Hubert's "DNS Camel" pieces
and/or RFC 8324, and think about not only pollution/cache
poisoning but about the observation that DNS zone managers and
email administrators are often in separate departments with less
effective communication than one might like, before going down
Well, yes, tweaking host names in MX record would have been a nice hack. As it
seems such a hack won't work well, however, it's better to save the camel a
useless burden altogether. Perhaps, the probability of finding an smtps
service on port 26 can be advertised by some other means.
As for port 26, nmap reports[*] a seldom used, unofficial "rsftp" there:
# Fields : Service name, portnum/protocol, open-frequency, optional comments
telnet 23/tcp 0.221265
telnet 23/udp 0.006211
priv-mail 24/tcp 0.001154 # any private mail system
priv-mail 24/udp 0.000329 # any private mail system
smtp 25/tcp 0.131314 # Simple Mail Transfer
smtp 25/udp 0.001285 # Simple Mail Transfer
rsftp 26/tcp 0.007991 # RSFTP
Would 24 be better?
Rsftp seems to be a buggy ftp-like program.[†] Google didn't help me to find
much more. There are some projects on github called rsftp[‡], but none of them
is that one.
ietf-smtp mailing list