On Tue, 08 Jan 2019 13:43:25 -0500, Ted Lemon said:
IOW, if the server is only listening on port 26,
Which becomes a self-inflicted DoS unless and until a vast majority of SMTP
sending servers have been upgraded/configured to try port 26.
The FUSSP won't be effective until it has been deployed at more than 60% of
SMTP servers and that's not a problem.
I'm pretty sure that Vernon Schryver wrote that last century. That puts it
well into "Wisdom of the Ancients" territory.. :)
and the client is being MITM'd, the attacker can listen on port 25 and then
tunnel the client connection to the server's port 26
I'll point out that if somebody is sufficiently MITM to do the "tunnel 26 to
25" tap-dance , they're sufficiently MITM to forge RST packets to attempted
connections on port 26 and force a client to fall back to port 25.
And nobody sane will deploy a system that doesn't fall back to port 25.
ietf-smtp mailing list