Re: [ietf-smtp] SMTP Over TLS on Port 26 - Implicit TLS Proposal
Alessandro Vesely <vesely@tana.it> Wed, 09 January 2019 19:35 UTC
Return-Path: <vesely@tana.it>
X-Original-To: ietf-smtp@ietfa.amsl.com
Delivered-To: ietf-smtp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1])
by ietfa.amsl.com (Postfix) with ESMTP id 3BCE3131055
for <ietf-smtp@ietfa.amsl.com>; Wed, 9 Jan 2019 11:35:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.301
X-Spam-Level:
X-Spam-Status: No, score=-4.301 tagged_above=-999 required=5
tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001]
autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1152-bit key)
header.d=tana.it
Received: from mail.ietf.org ([4.31.198.44])
by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id MtFnF39OvJw3 for <ietf-smtp@ietfa.amsl.com>;
Wed, 9 Jan 2019 11:35:38 -0800 (PST)
Received: from wmail.tana.it (wmail.tana.it [62.94.243.226])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA (256/256 bits))
(No client certificate requested)
by ietfa.amsl.com (Postfix) with ESMTPS id 78A02131053
for <ietf-smtp@ietf.org>; Wed, 9 Jan 2019 11:35:38 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tana.it; s=gamma;
t=1547062536; bh=Rbcgd5UwFRiGSRzcmja34yNbs+VtJ02yQImPo5gWGUc=;
l=3045; h=To:Cc:References:From:Date:In-Reply-To;
b=CEjpV9ESPrr1TDIcF0+S+PSYo6b6A2eH5ICX55e3VWgbiF6iEedSSzmhzXSoBWb3x
weHImZAcABHmMsvqoWUj3PYMp2oEe6O8rjvaeV3Nm2GJ9YyVMRuXDFy0AnbctbTFYJ
iH0dBJahe0JmTj6xImOmiWhoqCADYlMbHe8/u6kJcVqDZ54uA0+FUDI3NKOXG
Authentication-Results: tana.it; auth=pass (details omitted)
Received: from [172.25.197.111] (pcale.tana [172.25.197.111])
(AUTH: CRAM-MD5 uXDGrn@SYT0/k)
by wmail.tana.it with ESMTPA; Wed, 09 Jan 2019 20:35:36 +0100
id 00000000005DC013.000000005C364D08.0000604E
To: Ted Lemon <mellon@fugue.com>
Cc: valdis.kletnieks@vt.edu,
Viruthagiri Thirumavalavan <giri@dombox.org>, ietf-smtp@ietf.org
References: <CAOEezJQL_2_YUDJ3UW6MJ2pDtBzEwKDMV3a5PAvDqwmg5Gd6Xw@mail.gmail.com>
<20190107085807.GA9513@ams-1.poolp.org>
<CAOEezJSnPcz919k87fS5RFK5dtVSfqn00ow-QtxudDdm9rP9_w@mail.gmail.com>
<20190107111354.GA63927@ams-1.poolp.org>
<9e5c4dd8-7acf-8da7-4d4e-9337ef6e6101@pscs.co.uk>
<I8HxJeDFDKNcFAQA@highwayman.com>
<CAOEezJQiH=HNFw5rRbNEH1VjCuqyLxwtP6rRdLyxpHVA6sbHTQ@mail.gmail.com>
<CAOEezJSV3HJ1Shd4izCfXvSYUyF4ddOUx4C2MMOZsYi5NVM0Tw@mail.gmail.com>
<3742.1546968196@turing-police.cc.vt.edu>
<ABDA536C-10AA-4C66-808C-D8464982C6F9@fugue.com>
<0ddeaf40-d55d-84b7-00ce-efe7fb36c313@tana.it>
<CAPt1N1k6Yaa8x177+xn5u5V2LTiYHZXSB2kuveSadfxied0SpQ@mail.gmail.com>
From: Alessandro Vesely <vesely@tana.it>
Openpgp: id=0A5B4BB141A53F7F55FC8CBCB6ACF44490D17C00
Message-ID: <a76d27a1-2bee-c473-61b0-98461b2ce067@tana.it>
Date: Wed, 9 Jan 2019 20:35:36 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101
Thunderbird/60.4.0
MIME-Version: 1.0
In-Reply-To: <CAPt1N1k6Yaa8x177+xn5u5V2LTiYHZXSB2kuveSadfxied0SpQ@mail.gmail.com>
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf-smtp/pSb216OGLuTe31yUzAXtqD2haAo>
Subject: Re: [ietf-smtp] SMTP Over TLS on Port 26 - Implicit TLS Proposal
X-BeenThere: ietf-smtp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Discussion of issues related to Simple Mail Transfer Protocol
\(SMTP\) \[RFC 821, RFC 2821, RFC 5321\]" <ietf-smtp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf-smtp>,
<mailto:ietf-smtp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf-smtp/>
List-Post: <mailto:ietf-smtp@ietf.org>
List-Help: <mailto:ietf-smtp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf-smtp>,
<mailto:ietf-smtp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Jan 2019 19:35:40 -0000
On Wed 09/Jan/2019 20:16:27 +0100 Ted Lemon wrote: > Port 26 requires new operational behavior, so it's not simple. It requires > knowing that it's available, and trying it. It requires making it available. > It requires deploying lots of new software. I don't think software is a problem, because on my server (Courier-MTA) I could do it without even changing a line of code. Just duplicate 465 settings, change port number and mandatory login. For sending, I'd need to set special routes, which is annoying; adding one line of code is handier. > And it requires allocating a reserved port, and reserved ports are scarce. Yes. And publish an RFC. > So that's not a good reason to do it: essentially we are doing a lot of new > work in order to accomplish something that we could already accomplish using > existing software and doing no new work. Wouldn't the final scenario be better? Best Ale > On Wed, Jan 9, 2019 at 2:11 PM Alessandro Vesely <vesely@tana.it > <mailto:vesely@tana.it>> wrote: > > On Tue 08/Jan/2019 19:43:25 +0100 Ted Lemon wrote: > > On Jan 8, 2019, at 12:23 PM, valdis.kletnieks@vt.edu > <mailto:valdis.kletnieks@vt.edu> wrote: > >> Hint: If starttls is subject to a downgrade attack, what prevents the > same attack > >> against the same pair of hosts attempting smtps instead? > > > > IOW, if the server is only listening on port 26, and the client is being > > MITM'd, the attacker can listen on port 25 and then tunnel the client > > connection to the server's port 26. Only if the client knows that the server > > supports TLS can you prevent a downgrade, and then STARTTLS works fine. So > > you need some secure way of signaling this, e.g. DNSSEC, and if you have > that, > > then you don't need a second port allocation. > > Correct. So doing port 26 wouldn't get us more security. However, it doesn't > seem to get less security either. I don't see it as a useless complication, it > looks rather like a simplification to me. > > Valdis' citation about 60% of SMTP servers is also correct, but indeed it > shouldn't be a problem. I'd change the line about naming to: > > If a mail server support port 26 (smtps), then they MAY (was "should") > name their MX server with "smtps-" prefix. > > Prefix should never be checked automatically. Admins every now and then look > at MX names, and if they start to see those prefixes, they may decide to > activate their server test-port-26 option. Gullible, eh? However, MTA-STS is > certainly more complicated and costly. For one thing, you have to pay an extra > mta-sts.example.com <http://mta-sts.example.com> certificate (unless you > already afforded a wildcard). For > clients it's much much more work. > > *Port 26 is simple*. Straightforward for servers that already implement 465. > No-brainer for clients. The only risk is connection timeout on a > non-interactive job. Does it hurt? > > > Best > Ale > -- > > > > >
- [ietf-smtp] SMTP Over TLS on Port 26 - Implicit T… Viruthagiri Thirumavalavan
- Re: [ietf-smtp] SMTP Over TLS on Port 26 - Implic… Viruthagiri Thirumavalavan
- Re: [ietf-smtp] SMTP Over TLS on Port 26 - Implic… Gilles Chehade
- Re: [ietf-smtp] SMTP Over TLS on Port 26 - Implic… Viruthagiri Thirumavalavan
- Re: [ietf-smtp] SMTP Over TLS on Port 26 - Implic… Gilles Chehade
- Re: [ietf-smtp] SMTP Over TLS on Port 26 - Implic… Paul Smith
- Re: [ietf-smtp] SMTP Over TLS on Port 26 - Implic… Jeremy Harris
- Re: [ietf-smtp] SMTP Over TLS on Port 26 - Implic… Paul Smith
- Re: [ietf-smtp] SMTP Over TLS on Port 26 - Implic… John C Klensin
- Re: [ietf-smtp] SMTP Over TLS on Port 26 - Implic… John C Klensin
- Re: [ietf-smtp] SMTP Over TLS on Port 26 - Implic… Viruthagiri Thirumavalavan
- Re: [ietf-smtp] SMTP Over TLS on Port 26 - Implic… John C Klensin
- Re: [ietf-smtp] SMTP Over TLS on Port 26 - Implic… Viruthagiri Thirumavalavan
- Re: [ietf-smtp] SMTP Over TLS on Port 26 - Implic… John C Klensin
- Re: [ietf-smtp] SMTP Over TLS on Port 26 - Implic… Viruthagiri Thirumavalavan
- Re: [ietf-smtp] SMTP Over TLS on Port 26 - Implic… Alessandro Vesely
- Re: [ietf-smtp] SMTP Over TLS on Port 26 - Implic… Viruthagiri Thirumavalavan
- Re: [ietf-smtp] SMTP Over TLS on Port 26 - Implic… Richard Clayton
- Re: [ietf-smtp] SMTP Over TLS on Port 26 - Implic… Viruthagiri Thirumavalavan
- Re: [ietf-smtp] SMTP Over TLS on Port 26 - Implic… Viruthagiri Thirumavalavan
- Re: [ietf-smtp] SMTP Over TLS on Port 26 - Implic… valdis.kletnieks
- Re: [ietf-smtp] SMTP Over TLS on Port 26 - Implic… Ted Lemon
- Re: [ietf-smtp] SMTP Over TLS on Port 26 - Implic… Paul Smith
- Re: [ietf-smtp] SMTP Over TLS on Port 26 - Implic… Ted Lemon
- Re: [ietf-smtp] SMTP Over TLS on Port 26 - Implic… Viruthagiri Thirumavalavan
- Re: [ietf-smtp] SMTP Over TLS on Port 26 - Implic… valdis.kletnieks
- Re: [ietf-smtp] SMTP Over TLS on Port 26 - Implic… Viruthagiri Thirumavalavan
- Re: [ietf-smtp] SMTP Over TLS on Port 26 - Implic… Mark Andrews
- Re: [ietf-smtp] SMTP Over TLS on Port 26 - Implic… Ted Lemon
- Re: [ietf-smtp] SMTP Over TLS on Port 26 - Implic… Viruthagiri Thirumavalavan
- Re: [ietf-smtp] SMTP Over TLS on Port 26 - Implic… Viruthagiri Thirumavalavan
- Re: [ietf-smtp] SMTP Over TLS on Port 26 - Implic… valdis.kletnieks
- Re: [ietf-smtp] SMTP Over TLS on Port 26 - Implic… Viruthagiri Thirumavalavan
- Re: [ietf-smtp] SMTP Over TLS on Port 26 - Implic… valdis.kletnieks
- Re: [ietf-smtp] SMTP Over TLS on Port 26 - Implic… Viruthagiri Thirumavalavan
- Re: [ietf-smtp] SMTP Over TLS on Port 26 - Implic… Mark Andrews
- Re: [ietf-smtp] SMTP Over TLS on Port 26 - Implic… Viruthagiri Thirumavalavan
- Re: [ietf-smtp] SMTP Over TLS on Port 26 - Implic… valdis.kletnieks
- Re: [ietf-smtp] SMTP Over TLS on Port 26 - Implic… Mark Andrews
- Re: [ietf-smtp] SMTP Over TLS on Port 26 - Implic… Viruthagiri Thirumavalavan
- Re: [ietf-smtp] SMTP Over TLS on Port 26 - Implic… Viruthagiri Thirumavalavan
- Re: [ietf-smtp] SMTP Over TLS on Port 26 - Implic… Mark Andrews
- Re: [ietf-smtp] SMTP Over TLS on Port 26 - Implic… Viruthagiri Thirumavalavan
- Re: [ietf-smtp] SMTP Over TLS on Port 26 - Implic… valdis.kletnieks
- Re: [ietf-smtp] SMTP Over TLS on Port 26 - Implic… Mark Andrews
- Re: [ietf-smtp] SMTP Over TLS on Port 26 - Implic… Viruthagiri Thirumavalavan
- Re: [ietf-smtp] SMTP Over TLS on Port 26 - Implic… Viruthagiri Thirumavalavan
- Re: [ietf-smtp] SMTP Over TLS on Port 26 - Implic… Mark Andrews
- Re: [ietf-smtp] SMTP Over TLS on Port 26 - Implic… Viruthagiri Thirumavalavan
- Re: [ietf-smtp] SMTP Over TLS on Port 26 - Implic… Ted Lemon
- Re: [ietf-smtp] SMTP Over TLS on Port 26 - Implic… valdis.kletnieks
- Re: [ietf-smtp] SMTP Over TLS on Port 26 - Implic… Viruthagiri Thirumavalavan
- Re: [ietf-smtp] SMTP Over TLS on Port 26 - Implic… valdis.kletnieks
- Re: [ietf-smtp] SMTP Over TLS on Port 26 - Implic… Viruthagiri Thirumavalavan
- Re: [ietf-smtp] SMTP Over TLS on Port 26 - Implic… Paul Smith
- Re: [ietf-smtp] SMTP Over TLS on Port 26 - Implic… Alessandro Vesely
- Re: [ietf-smtp] SMTP Over TLS on Port 26 - Implic… Ted Lemon
- Re: [ietf-smtp] SMTP Over TLS on Port 26 - Implic… Alessandro Vesely
- Re: [ietf-smtp] SMTP Over TLS on Port 26 - Implic… Ted Lemon
- Re: [ietf-smtp] SMTP Over TLS on Port 26 - Implic… Paul Smith
- Re: [ietf-smtp] SMTP Over TLS on Port 26 - Implic… Carl S. Gutekunst
- Re: [ietf-smtp] SMTP Over TLS on Port 26 - Implic… valdis.kletnieks
- Re: [ietf-smtp] SMTP Over TLS on Port 26 - Implic… John Levine
- Re: [ietf-smtp] SMTP Over TLS on Port 26 - Implic… Viruthagiri Thirumavalavan
- [ietf-smtp] STARTTLS everywhere / Re: SMTP Over T… Дилян Палаузов
- Re: [ietf-smtp] SMTP Over TLS on Port 26 - Implic… Дилян Палаузов
- Re: [ietf-smtp] SMTP Over TLS on Port 26 - Implic… Viruthagiri Thirumavalavan
- Re: [ietf-smtp] SMTP Over TLS on Port 26 - Implic… Evert Mouw
- Re: [ietf-smtp] SMTP Over TLS on Port 26 - Implic… Mark Andrews
- Re: [ietf-smtp] SMTP Over TLS on Port 26 - Implic… Ted Lemon