Re: [exim] Using TLS to encrypt SMTP traffic...

Top Page
Delete this message
Reply to this message
Author: W B Hacker
Date:  
To: exim users
Subject: Re: [exim] Using TLS to encrypt SMTP traffic...
Steffen Heil wrote:
> Hi
>
>
>>>>Typical settings include:
>>>>
>>>>daemon_smtp_ports = 25 : 465 : 587
>>>
>>>Typical clients use START_TLS on port 25, but tls-on-connect on 465
>>>(what about 587?). So with the above setting I'd strongly recommend
>>>
>>>tls_on_connect_ports = 465
>>
>>Please ignore everything Bill says about port 465. He
>>continues to advise people to ignore established norms and
>>standards, without warning.
>
>
> I hope I missunderstand, but otherwise that comment is garbage.
>
> In spite of the fact that it may be agains standards now I also suggest:
>
> daemon_smtp_ports = 25 : 465 : 587
> tls_on_connect_ports = 465
>
> 25 is for inter-MTA smtp traffic. (explicit tls optionally, usually no auth)
> 587 is for "good" MUA to MTA traffic. (explicit tls prefered, only auth)
> 465 is for "bad" MUA to MTA traffic. (implicit ssl forced, only auth)
>
> There are still clients wich don't do STARTTLS but only implicitSSL.
> Some versions of Outlook for example.
>
> If you configure this server only for yourself, drop port 465 completely.
> However, if you need to support clients with somehow broken smtp/ssl
> implementations, you have no chance to do otherwise.
>
> I cannot afford to drop that many customers, maybe you can...
>
> Regards,
> Steffen
>


Can't argue with that - we still keep 465 open for the same reason, simply no
longer configure current MUA to to use it.

But, as you do in calling it "bad MUA to MTA" (I'd be kinder and say 'legacy'
and "MSA") I no longer recommend 'new' use of 465.

Not since the IANA/IETF have officially set a different use for that port (FEB
2006) anyway.

PRIOR to that date - *many* folks fought long and hard to keep smpts on 465.

Whether Herr Sherman likes it or not, that battle is over. IANA have spoken.

Digging out older posts - mine included - is no longer relevant.

Further, the new use IANA have assigned for 465 has caused obviously non-smtp
calls to port 465, which one can expect will increase over time if/as/when the
new 'rendevous' protocol gains acceptance.

Eventually, that may cause enough confusion/needless IP connection load to make
it a good idea to shut that port if NOT offering the new service.

If anyone has ignored 'established practice' - tens of millions of MUA's that
are equipped for smtps / SSL on port 465 - it is the IANA/IETF - not I.

Ancient history now. Like it or not, we should move on and use 587.

Thanks,

Bill