Re: [exim] Tls on connect as and SMTP Client

Top Page
Delete this message
Reply to this message
Author: W B Hacker
Date:  
To: exim users
Subject: Re: [exim] Tls on connect as and SMTP Client
Bill Milford wrote:
> Hello All,
> I deliver my mail using a smarthost router to my ISP - AT&T Yahoo DSL. They just sent a memo out that
> effective March 1, 2007 they are requiring us to use TLS-ON-CONNECT on port 465 to send mail. I have read
> the sections in the manual about TLS and exim as a client and didn't see anything that will allow me to
> set tls-on-connect as a client. I know I can use port = 465 in the transport to force the traffic to
> SSMTP port. Does this tls-on-connect option exist for SMTP clients?
>
> Bill
>
>
>


Quite aside from the 'how' - left to others - is the 'why'.

Is that information posted on the AT&T/Yahoo website, or otherwise public?

It seems one must already be a customer to get past the adverts to technical
data (if any!).


Port 465 was 'officially' reassigned by the IANA just about a year ago - to a
proprietary Cisco protocol that has nothing to do with smtp.

See:

http://www.iana.org/assignments/port-numbers

and find:

urd             465/tcp    URL Rendesvous Directory for SSM
igmpv3lite      465/udp    IGMP over UDP for SSM
#                          Toerless Eckert <eckert@???>




The port assigned for 'submission' is 587, op cit:

submission    587/tcp    Submission
submission    587/udp    Submission
#               [RFC4409]



per RFC 4409, STARTTLS 'MAY' be offered, and conventionally *usually is* advertised.

Other forms of security/encryption for AUTH, traffic, and/or the link itself are
mentioned, but none are specifically required or prohibited. Port 587 is
considered a 'local' port in the sense that it does not abitrarily 'reach out
and touch' the internet at large. IOW - an entity configuring oddly affects only
their own 'constituency' - so the rules are more about 'how to do properly' than
'must always do TLS' (or even limit to 'smtp' vs 'cousins').

That could be seen as leaving an opening for AT&T/Yahoo to offer their
user-community SSL/TLS_on_connect via port 587 instead of TLS.

But the year-old re-assignment of 465 to other use does no such thing.

"Legacy" or no, 465 is no longer appropriate for mail at all.

JM2CW - YMMV.

Bill Hacker