[Top] [All Lists]

Re: [ietf-smtp] SMTP Over TLS on Port 26 - Implicit TLS Proposal

2019-01-17 09:27:16
Indeed, if we added MXS and secured it with DNSSEC, port 25 with STARTTLS
would have the same security properties as port 26 with TLS- from the
start; in neither case would a conforming implementation connection without
a successful TLS handshake.

On Thu, Jan 17, 2019 at 6:57 AM Mark Andrews <marka(_at_)isc(_dot_)org> wrote:

On 17 Jan 2019, at 8:43 pm, Evert Mouw 


On 09/01/2019 01.43, Viruthagiri Thirumavalavan wrote:
There are people out there who has personal websites like and email address like 

Yeah and I'm one of them. I run my private mailserver for 3 users, one
domain name for each.

On 07/01/2019 12.34, Paul Smith wrote:
Note that port 465 is defined as for SMTPS for *submission*, so it's
the SMTPS version of 587, not the SMTPS version of 25.

That is correct, but for most mailservers relaying is disabled anyway,
so in practice even port 25 has become a submission gate. Also, you could
configure port 465 to allow relaying... out of the box many mail daemons
allow this, e.g. I "submit" my outgoing mail to 465 using Postfix. It is

On 09/01/2019 20.11, Alessandro Vesely wrote:
*Port 26 is simple*.  Straightforward for servers that already
implement 465.
No-brainer for clients.  The only risk is connection timeout on a
non-interactive job.  Does it hurt?

Exactly. Also, it makes it easier to recognize a secured mail transport.
No possible plaintext as with STARTTLS (when the latter fails, mail could
proceed over an unencrypted transport).

On 09/01/2019 21.37, Carl S. Gutekunst wrote:
Devil's advocate question: Do we (the community) care about improved
connection latency?

I do.

On 09/01/2019 22.26, valdis(_dot_)kletnieks(_at_)vt(_dot_)edu wrote:
My intuition says that this proposal doesn't help improve latency,
the hit you take waiting for a timeout on port 26 to a non-adopter
is going to overwhelm any savings from the STARTTLS RTT not being

Good point. I would love a MXS record (Mail eXchanger Secure). Maybe
such a MXS SHOULD be an alias to an already existent MX record.

As for the port number: if port 24 is already reserved for private mail
systems (!! so no loss of port numbers !!), but not used anymore, it would
also make a good candidate. I like the lower number, "try 24 before 25",
but port 26 makes sense too. It makes way more sense (to me at least) to
have both port numbers in one range, be it 25-25 or 25-26.

One of the benefits of a TLS-only port is the non-dependency on DNSSEC,
DANE, and whatnot. It is *simple*, easy to implement (by using e.g. an SSL
wrapper), fast, and pleasing to the eye.

DNSSEC is STILL needed with a TLS only port.  You have no TRUSTED name to
pass to TLS to check the server certificate against without it.

SMTP is not HTTP.  SMTP has a different set of security properties to HTTP.

Of course this matter doesn't prelude the end of the world ;-)

Regards, Evert

< Send me mail! >
        \   ^__^
         \  (oo)\_______
            (__)\       )\/\
                ||----w |
                ||     ||

ietf-smtp mailing list

Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka(_at_)isc(_dot_)org

ietf-smtp mailing list

ietf-smtp mailing list
<Prev in Thread] Current Thread [Next in Thread>