Autor: Lars Mainka Datum: To: Marc Sherman CC: Exim Users Neue Treads: Re: [exim] 587 for submission Betreff: Re: [exim] Why is STARTTLS preferred over tls_on_connect_ports?
Hi Marc,
Marc Sherman schrieb: > After writing the answer to Guy De Leeuw's question about TLS, I got to
> thinking; why is STARTTLS after connection on ports 25/587 preferred to
> tls_on_connect_ports on port 465? I know that the latter was only
> implemented recently, and previously it required a seperate daemon
> running with a command line switch, but the emails discussing that
> implied that implementing tls_on_connect_ports wasn't just a pain, it
> was distasteful and wrong as well. What's the reasoning behind that?
Don't know, but IMHO SMTP should only be used on port 25. Every other port have to be known before
to connect to, and this is usually only possible for known mail hosts.
> It seems to me that with tls_on_connect_ports, you get a slightly* more
> secure session, because the HELO/EHLO doesn't travel in the clear,
> reducing the info available for traffic analysis by an attacker.
In my opinion, tls_on_connect is nothing else than STARTTLS in the meaning of security. Since you
can configure Exim to allow only EHLO/HELO and STARTTLS on connect the result will be the same. You
won't get more informations about the client connecting the server if you did not use
tls_on_connect, cause the layer 3 informations, like IP address and so on will be the same.
And it is definitly not correct, that tls_on_connect will give you more security. Both tls on
connect and STARTTLS will (or better should) use the same level of security. The encryption is the
same, the main difference is *when* the encryption will be negotiated between the hosts. On connect,
you have to agree connection informations before to connect, on the other hand with STARTTLS you can
negotiate those informations within an established connection. TLSv1 is more comfortable than to
agree these informations before.