On 7/22/20 1:34 PM, John Levine wrote:
My reading is thay the above text clarifies to prefer 465 over 587.
Some of us disagree about how well this advice matches reality. See
you at the BOF.
What does it even mean to say that this does or does not match "reality"?
The advice is to use ports that do TLS on connect (465, 993, 995)
rather than ones that connect and then use a command to upgrade (587,
110, 143) on the theory that a bad guy might do STARTTLS stripping on
the latter. I think it is reasonable to assume that any adversary that
knows how to mess with STARTTLS packets also knows how to do port
blocking, and if one port doesn't work MUAs will try the other, so it
I also observer that MUAs all offer the option of doing it either way
when you set them up, and remember that configuration for subsequent
connections. More useful advice would be to configure a TLS connection
of either type at setup time, and if that configuration later stops
working, alert the user rather than silently working around it.
ietf-smtp mailing list