IETF Logo Mail Archive

Re: [ietf-smtp] SMTP Over TLS on Port 26 - Implicit TLS Proposal

Alessandro Vesely <vesely@tana.it> Wed, 09 January 2019 19:35 UTC

Return-Path: <vesely@tana.it>
X-Original-To: ietf-smtp@ietfa.amsl.com
Delivered-To: ietf-smtp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3BCE3131055 for <ietf-smtp@ietfa.amsl.com>; Wed, 9 Jan 2019 11:35:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.301
X-Spam-Level:
X-Spam-Status: No, score=-4.301 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1152-bit key) header.d=tana.it
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MtFnF39OvJw3 for <ietf-smtp@ietfa.amsl.com>; Wed, 9 Jan 2019 11:35:38 -0800 (PST)
Received: from wmail.tana.it (wmail.tana.it [62.94.243.226]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 78A02131053 for <ietf-smtp@ietf.org>; Wed, 9 Jan 2019 11:35:38 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tana.it; s=gamma; t=1547062536; bh=Rbcgd5UwFRiGSRzcmja34yNbs+VtJ02yQImPo5gWGUc=; l=3045; h=To:Cc:References:From:Date:In-Reply-To; b=CEjpV9ESPrr1TDIcF0+S+PSYo6b6A2eH5ICX55e3VWgbiF6iEedSSzmhzXSoBWb3x weHImZAcABHmMsvqoWUj3PYMp2oEe6O8rjvaeV3Nm2GJ9YyVMRuXDFy0AnbctbTFYJ iH0dBJahe0JmTj6xImOmiWhoqCADYlMbHe8/u6kJcVqDZ54uA0+FUDI3NKOXG
Authentication-Results: tana.it; auth=pass (details omitted)
Received: from [172.25.197.111] (pcale.tana [172.25.197.111]) (AUTH: CRAM-MD5 uXDGrn@SYT0/k) by wmail.tana.it with ESMTPA; Wed, 09 Jan 2019 20:35:36 +0100 id 00000000005DC013.000000005C364D08.0000604E
To: Ted Lemon <mellon@fugue.com>
Cc: valdis.kletnieks@vt.edu, Viruthagiri Thirumavalavan <giri@dombox.org>, ietf-smtp@ietf.org
References: <CAOEezJQL_2_YUDJ3UW6MJ2pDtBzEwKDMV3a5PAvDqwmg5Gd6Xw@mail.gmail.com> <20190107085807.GA9513@ams-1.poolp.org> <CAOEezJSnPcz919k87fS5RFK5dtVSfqn00ow-QtxudDdm9rP9_w@mail.gmail.com> <20190107111354.GA63927@ams-1.poolp.org> <9e5c4dd8-7acf-8da7-4d4e-9337ef6e6101@pscs.co.uk> <I8HxJeDFDKNcFAQA@highwayman.com> <CAOEezJQiH=HNFw5rRbNEH1VjCuqyLxwtP6rRdLyxpHVA6sbHTQ@mail.gmail.com> <CAOEezJSV3HJ1Shd4izCfXvSYUyF4ddOUx4C2MMOZsYi5NVM0Tw@mail.gmail.com> <3742.1546968196@turing-police.cc.vt.edu> <ABDA536C-10AA-4C66-808C-D8464982C6F9@fugue.com> <0ddeaf40-d55d-84b7-00ce-efe7fb36c313@tana.it> <CAPt1N1k6Yaa8x177+xn5u5V2LTiYHZXSB2kuveSadfxied0SpQ@mail.gmail.com>
From: Alessandro Vesely <vesely@tana.it>
Openpgp: id=0A5B4BB141A53F7F55FC8CBCB6ACF44490D17C00
Message-ID: <a76d27a1-2bee-c473-61b0-98461b2ce067@tana.it>
Date: Wed, 9 Jan 2019 20:35:36 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.4.0
MIME-Version: 1.0
In-Reply-To: <CAPt1N1k6Yaa8x177+xn5u5V2LTiYHZXSB2kuveSadfxied0SpQ@mail.gmail.com>
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf-smtp/pSb216OGLuTe31yUzAXtqD2haAo>
Subject: Re: [ietf-smtp] SMTP Over TLS on Port 26 - Implicit TLS Proposal
X-BeenThere: ietf-smtp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Discussion of issues related to Simple Mail Transfer Protocol \(SMTP\) \[RFC 821, RFC 2821, RFC 5321\]" <ietf-smtp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf-smtp>, <mailto:ietf-smtp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf-smtp/>
List-Post: <mailto:ietf-smtp@ietf.org>
List-Help: <mailto:ietf-smtp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf-smtp>, <mailto:ietf-smtp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Jan 2019 19:35:40 -0000

On Wed 09/Jan/2019 20:16:27 +0100 Ted Lemon wrote:

> Port 26 requires new operational behavior, so it's not simple.   It requires
> knowing that it's available, and trying it.   It requires making it available. 
>  It requires deploying lots of new software.


I don't think software is a problem, because on my server (Courier-MTA) I could
do it without even changing a line of code.  Just duplicate 465 settings,
change port number and mandatory login.  For sending, I'd need to set special
routes, which is annoying; adding one line of code is handier.


> And it requires allocating a reserved port, and reserved ports are scarce.


Yes.  And publish an RFC.


> So that's not a good reason to do it: essentially we are doing a lot of new
> work in order to accomplish something that we could already accomplish using
> existing software and doing no new work.

Wouldn't the final scenario be better?


Best
Ale


> On Wed, Jan 9, 2019 at 2:11 PM Alessandro Vesely <vesely@tana.it
> <mailto:vesely@tana.it>> wrote:
> 
>     On Tue 08/Jan/2019 19:43:25 +0100 Ted Lemon wrote:
>     > On Jan 8, 2019, at 12:23 PM, valdis.kletnieks@vt.edu
>     <mailto:valdis.kletnieks@vt.edu> wrote:
>     >> Hint: If starttls is subject to a downgrade attack, what prevents the
>     same attack
>     >> against the same pair of hosts attempting smtps instead?
>     >
>     > IOW, if the server is only listening on port 26, and the client is being
>     > MITM'd, the attacker can listen on port 25 and then tunnel the client
>     > connection to the server's port 26.  Only if the client knows that the server
>     > supports TLS can you prevent a downgrade, and then STARTTLS works fine.   So
>     > you need some secure way of signaling this, e.g. DNSSEC, and if you have
>     that,
>     > then you don't need a second port allocation.
> 
>     Correct.  So doing port 26 wouldn't get us more security.  However, it doesn't
>     seem to get less security either.  I don't see it as a useless complication, it
>     looks rather like a simplification to me.
> 
>     Valdis' citation about 60% of SMTP servers is also correct, but indeed it
>     shouldn't be a problem.  I'd change the line about naming to:
> 
>        If a mail server support port 26 (smtps), then they MAY (was "should")
>        name their MX server with "smtps-" prefix.
> 
>     Prefix should never be checked automatically.  Admins every now and then look
>     at MX names, and if they start to see those prefixes, they may decide to
>     activate their server test-port-26 option.  Gullible, eh?  However, MTA-STS is
>     certainly more complicated and costly.  For one thing, you have to pay an extra
>     mta-sts.example.com <http://mta-sts.example.com> certificate (unless you
>     already afforded a wildcard).  For
>     clients it's much much more work.
> 
>     *Port 26 is simple*.  Straightforward for servers that already implement 465.
>     No-brainer for clients.  The only risk is connection timeout on a
>     non-interactive job.  Does it hurt?
> 
> 
>     Best
>     Ale
>     -- 
> 
> 
> 
> 
>

v2.2.1 | Report a Bug | By Email