ietf-smtp
[Top] [All Lists]

Re: [ietf-smtp] SMTP Over TLS on Port 26 - Implicit TLS Proposal

2019-01-17 05:57:23


On 17 Jan 2019, at 8:43 pm, Evert Mouw 
<post=40evert(_dot_)net(_at_)dmarc(_dot_)ietf(_dot_)org> wrote:

Hi,

On 09/01/2019 01.43, Viruthagiri Thirumavalavan wrote:
There are people out there who has personal websites like 
firstnamelastname.com and email address like 
me(_at_)firstnamelastname(_dot_)com

Yeah and I'm one of them. I run my private mailserver for 3 users, one domain 
name for each.

On 07/01/2019 12.34, Paul Smith wrote:
Note that port 465 is defined as for SMTPS for *submission*, so it's the 
SMTPS version of 587, not the SMTPS version of 25.

That is correct, but for most mailservers relaying is disabled anyway, so in 
practice even port 25 has become a submission gate. Also, you could configure 
port 465 to allow relaying... out of the box many mail daemons allow this, 
e.g. I "submit" my outgoing mail to 465 using Postfix. It is messy.

On 09/01/2019 20.11, Alessandro Vesely wrote:
*Port 26 is simple*.  Straightforward for servers that already implement 
465.
No-brainer for clients.  The only risk is connection timeout on a
non-interactive job.  Does it hurt?

Exactly. Also, it makes it easier to recognize a secured mail transport. No 
possible plaintext as with STARTTLS (when the latter fails, mail could 
proceed over an unencrypted transport).

On 09/01/2019 21.37, Carl S. Gutekunst wrote:
Devil's advocate question: Do we (the community) care about improved 
connection latency?

I do.

On 09/01/2019 22.26, valdis(_dot_)kletnieks(_at_)vt(_dot_)edu wrote:
My intuition says that this proposal doesn't help improve latency, because
the hit you take waiting for a timeout on port 26 to a non-adopter server
is going to overwhelm any savings from the STARTTLS RTT not being
needed.

Good point. I would love a MXS record (Mail eXchanger Secure). Maybe such a 
MXS SHOULD be an alias to an already existent MX record.

As for the port number: if port 24 is already reserved for private mail 
systems (!! so no loss of port numbers !!), but not used anymore, it would 
also make a good candidate. I like the lower number, "try 24 before 25", but 
port 26 makes sense too. It makes way more sense (to me at least) to have 
both port numbers in one range, be it 25-25 or 25-26.

One of the benefits of a TLS-only port is the non-dependency on DNSSEC, DANE, 
and whatnot. It is *simple*, easy to implement (by using e.g. an SSL 
wrapper), fast, and pleasing to the eye.

DNSSEC is STILL needed with a TLS only port.  You have no TRUSTED name to pass 
to TLS to check the server certificate against without it.

SMTP is not HTTP.  SMTP has a different set of security properties to HTTP.

Of course this matter doesn't prelude the end of the world ;-)

Regards, Evert

 _______________
< Send me mail! >
 ---------------
        \   ^__^
         \  (oo)\_______
            (__)\       )\/\
                ||----w |
                ||     ||


_______________________________________________
ietf-smtp mailing list
ietf-smtp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf-smtp

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka(_at_)isc(_dot_)org

_______________________________________________
ietf-smtp mailing list
ietf-smtp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf-smtp

<Prev in Thread] Current Thread [Next in Thread>