On Mon, 17 Feb 2003, James P. Roberts wrote:
> STARTTLS begins with a normal, clear-text session, during which the
> server usually advertises support for STARTTLS. After a clear-text
> "STARTTLS" command from the client, server and client negotiate
> encryption (everything from here on out looks scrambled), which persists
> for the remainder of the connection.
Indeed. That is how TLS is supposed to be used on SMTP connections (see
RFC 2487).
> SMTPS was rather more difficult to understand, as the very first command
> from the client is not clear-text. It looks garbled to anything except
> a server listening specifically for encrypted SMTPS traffic.
SMTPS was a hack that was invented before RFC 2487 came out. I regard
its use as obsolete, and any software that uses it as "legacy".
> Philip, I know you said it would probably never happen, but I would like
> to add this to the Exim Wish List anyway. The ability to handle both
> STARTTLS and SMTPS, from a single Exim, on different ports.
I do not like this idea, because it encourages the continued use of
non-standards. I think there's already enough in Exim - you can use "a
single Exim" on different ports - but you have to run two daemon
processes. However, you do not need two different configs.
> It is certainly the case that work-arounds exist
> (two-daemon solutions). But this is not quite satisfying.
Why are two daemons so unsatisfying?
> I don't think we ever need both STARTTLS and SMTPS on the same port?
That is unimplementable. How does the server know?
Philip
--
Philip Hazel University of Cambridge Computing Service,
ph10@??? Cambridge, England. Phone: +44 1223 334714.
