Re: [exim] STARTTLS before EHLO?

Top Page
Delete this message
Reply to this message
Author: W B Hacker
Date:  
To: exim-users
Subject: Re: [exim] STARTTLS before EHLO?
Dean Brooks wrote:

> On Wed, Feb 08, 2006 at 04:44:57AM +0800, W B Hacker wrote:
>
>>> Marc Sherman wrote:
>>>
>>> This has come up before; if you're going to recommend to
>>> random list posters that they configure 587 for
>>> tls_on_connect, please warn them explicitly that your
>>> configuration is very non-standard.
>>
>> 'Legacy', perhaps, but not 'non-standard' w/r our use of
>> those two ports.


>
>
> Using tls_on_connect on 465 is legacy.


As of yesterday it become a more interesting issue:

IANA published list as of February 7, 2006:

urd        465/tcp    URL Rendesvous Directory for SSM
igmpv3lite 465/udp    IGMP over UDP for SSM


- 'SSM' is yet-another proprietary protocol from Cisco. :-(


> Using it on 587 is non-standard


The IANA registration has not specified port 587 for any
particular protocol, smtp or otherwise:

submission    587/tcp    Submission
submission    587/udp    Submission


By definition, a 'submission' port NOT being 'public facing',
one should not expect any more detail than that any time soon.

> and most assuredly not legacy.


RFC 2476 (DEC 1998) provided for several means of encryption of
both message content and the connection itself.

IPSec, SSL-tunnel, and SSL were in use long before enough MUA's
were STARTTLS enabled to permit ISP's to begin moving toward it.
Many still have not started, and many who have done remain
frustrated by in-place MUA limitations.

Even the more recent RFC 3207 has the requisite 'escape'
clauses. It specifies how to 'do properly' what one may -
because of the 'loose' IANA registration - choose to 'not do at
all'.

As of 7 February 2006, only ports 25 and 465 have 'smtp'
attached to their specification.

> It's your network, do what you want with it, but I would
> agree that it


My servers, but the 'network' is a public asset, and we are
pleased to conform to 'generally accepted practice' - hard rules
or not.

Port 587 is not yet one of those, and it settings are harmless
to the 'net as a whole. Only the MUA's of one's *own
client-base* should seek a submission port - and MUST 'authenticate.

Arriving via already-on SSL is a part of our auth process.

Passing confusing EHLO messages to a variety of MUA's is not.

'KISS' method rules.

> is not good advice to recommend using tls_on_connect for 587
> MSA ports


All the above aside..

It was NOT 'recommended' - it was *illustrated*.

And that only in response to the specifics of the OP's question.

Sounded as if he wanted to know if he could roll-in Exim to
replace an older MTA and still support a mixed user community at
cutover w/o having to run about and change all the MUA settings
*first*.

- That is a not uncommon real-world need.

He apparently was not planning to use it in any case (per his
later post...). Well and good. Others may need it.

> unless there is a specific need for it.
>


Which there very much is, and not just in our shop.

Think 'cutover'. Look at the postings here from folks still
running Exim 3X. Sendmail and Postfix shops and the MUA's
attached can be even older.


As to what port is used to do what, with which, and to whom, a
look at even IANA's newest list is akin to stepping into a
time-capsule.

Note that Jon Postel, and his e-mail address, is still listed as
the 'contact' for a great many of the port services, despite the
fact that he passed away over seven years ago...

A deserved tribute to a pioneer, yes.

Practical? Not so sure.

'tempus' may fugit. IANA is not quite as swift.

YMMV,


Bill