[Top] [All Lists]

[ietf-smtp] STARTTLS everywhere / Re: SMTP Over TLS on Port 26 - Implicit TLS Proposal

2019-01-10 00:18:45

just as there is HTTP Strict Transport Security (HSTS) preload list — a text 
file full with hosts that are dedicated to
deliver all content over HTTPS, there is also “MTA Strict Transport Security 
(MTA-STS) preload list” — a text file
containg domains and subdomains, that are committed to offer STARTTLS.

Providing that the implementation of MTA-STS and MTA-DANE is not simple, 
integrating the STARTTLS everywhere list is


On Mon, 2019-01-07 at 13:55 +0530, Viruthagiri Thirumavalavan wrote:
Hello Everyone,

I have proposal for SMTPS. Already gathered some feedback from UTA working 
group and improved my draft.

My proposal is a very simple document. So, please go though it and give me 
feedback if you can.  

Here is my abstract.

SMTP is still suffering from downgrade attacks like STRIPTLS. While we have 
"Opportunistic TLS", we still don't have "Implicit TLS" in the SMTP. Don't 
get me wrong.. We do have "Implicit TLS" for "SMTP Submission" on port 465. 
But we don't have a secure port 25 alternative. i.e. The real SMTPS

Both MTA-STS and MTA-DANE tries to fix the STARTTLS downgrade issue. However 
the implementation is not simple. The former requires a HTTPS server and the 
latter requires DNSSEC.

This document propose a new port 26, an "Implicit TLS" alternative for port 
25 and recommends the MX server to signal the port via a prefix.

e.g. should be prefixed like

Where "smtps-" says "We prefer if you connect to our SMTPS in port 26. But we 
also accept mails in port 25. And our port 25 supports Opportunistic TLS. So 
if STARTTLS command not found in the EHLO response or certificate is invalid, 
then drop the connection".


Best Regards,

Viruthagiri Thirumavalavan
Dombox, Inc.
ietf-smtp mailing list

ietf-smtp mailing list

<Prev in Thread] Current Thread [Next in Thread>