IETF Logo Mail Archive

Re: [Uta] What's the right thing to do about Port 465?

Chris Newman <chris.newman@oracle.com> Tue, 11 March 2014 02:55 UTC

Return-Path: <chris.newman@oracle.com>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8B4051A06E9 for <uta@ietfa.amsl.com>; Mon, 10 Mar 2014 19:55:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.205
X-Spam-Level:
X-Spam-Status: No, score=-3.205 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DATE_IN_PAST_06_12=1.543, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.547, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hhqFSMVNUXpf for <uta@ietfa.amsl.com>; Mon, 10 Mar 2014 19:55:35 -0700 (PDT)
Received: from userp1040.oracle.com (userp1040.oracle.com [156.151.31.81]) by ietfa.amsl.com (Postfix) with ESMTP id 32D6A1A03AB for <uta@ietf.org>; Mon, 10 Mar 2014 19:55:35 -0700 (PDT)
Received: from ucsinet22.oracle.com (ucsinet22.oracle.com [156.151.31.94]) by userp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2) with ESMTP id s2B2tR0f017111 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Tue, 11 Mar 2014 02:55:28 GMT
Received: from gotmail.us.oracle.com (gotmail.us.oracle.com [10.133.152.174]) by ucsinet22.oracle.com (8.14.5+Sun/8.14.5) with ESMTP id s2B2tO5U000165; Tue, 11 Mar 2014 02:55:27 GMT
MIME-version: 1.0
Content-transfer-encoding: 7bit
Content-disposition: inline
Content-type: text/plain; CHARSET="US-ASCII"; format="flowed"
Received: from [10.159.234.198] (dhcp-whq-twvpn-3-vpnpool-10-159-234-198.vpn.oracle.com [10.159.234.198]) by gotmail.us.oracle.com (Oracle Communications Messaging Server 7.0.5.31.0 64bit (built Jan 22 2014)) with ESMTPA id <0N290013L44AKC00@gotmail.us.oracle.com>; Mon, 10 Mar 2014 19:55:24 -0700 (PDT)
Date: Mon, 10 Mar 2014 19:54:03 +0000
From: Chris Newman <chris.newman@oracle.com>
To: Keith Moore <moore@network-heretics.com>, uta@ietf.org
Message-id: <18E382E9817F03CAC7D0DB68@[192.168.15.107]>
In-reply-to: <531D6338.7050505@network-heretics.com>
References: <2A0EFB9C05D0164E98F19BB0AF3708C711FB9AAD89@USMBX1.msg.corp.akamai.com> <8691BA706C9BAB52D64A8444@96B2F16665FF96BAE59E9B90> <00cd01cf3b05$4e5fa500$eb1eef00$@huitema.net> <531D60FC.2090604@cisco.com> <531D6338.7050505@network-heretics.com>
X-Mailer: Mulberry/4.0.8 (Mac OS X)
X-Source-IP: ucsinet22.oracle.com [156.151.31.94]
Archived-At: http://mailarchive.ietf.org/arch/msg/uta/aXE5Ss0plpIogUzvxuPJ1f9FBtI
Subject: Re: [Uta] What's the right thing to do about Port 465?
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 11 Mar 2014 02:55:38 -0000

--On March 10, 2014 3:01:12 -0400 Keith Moore <moore@network-heretics.com> 
wrote:
> On 03/10/2014 02:51 AM, Eliot Lear wrote:
>> Routers running URD intercept all packets using port 465, regardless
>> of destination.
>
> So is the right thing to do:
>
> a)  Recommend port 465 anyway, but document the problem with these
> routers?
>
> b)  Allocate and recommend a different port, even though that's going to
> increase configuration difficulties for the vast majority of legacy
> clients? (and assuming that new clients default to the new port, also
> complicate configuration of those clients with legacy servers?)
>
> c) Allocate a different port to be the "official" port, recommend that
> servers support both ports when feasible (for the benefit of legacy
> clients), and recommend that new clients use SRV lookup to discover the
> submissions port?
>
> d) something else?

I don't think there's a "right thing" to do in this situation. I am opposed 
to registering a new well-known-port for "submissions"; that will create 
real interoperability and deployment problems for no benefit other than 
registry purity. So I do not support options b & c. Here are three options, 
in my order of preference, that I do not believe make things worse than 
they are today:

1. Recommend port 465, but document the problem with these routers.

2. Recommend use of STARTTLS on port 587. This makes our Submission + TLS 
recommendation asymmetric with our recommendation for other MUA protocols, 
but it does not make the current deployment situation worse. STARTTLS 
remains the only option for SMTP relay, so it could be argued this keeps 
SMTP consistent. However, STARTTLS does seem to be somewhat more difficult 
to deploy/test/configure than implicit TLS in practice so I believe option 
1 will result in more use of TLS for submission than this option.

3. Do not register a new well-known-port for "submissions". Clients wishing 
to use "submissions" service MUST use SRV record lookups as documented RFC 
6186. Choice of port is a matter for service providers. This will be more 
difficult to deploy than 1, particularly because it requires SRV-ID (or 
DANE) support and has near zero deployment today.

I prefer 1, but can live with any of these three options.

		- Chris

v2.23.0 | Report a Bug | By Email