From: Björn Jacke <bjacke@???>
clients often just do opportunistic starttls, which makes submission using
starttls vulnerable to MITM attacks for those clients. Using smtps without the
optional starttls mitigates that effectively. The docs should mention this
instead of just saying that ssmtp is obsolete or deprecated.
---
doc/doc-docbook/spec.xfpt | 23 ++++++++++++++---------
1 file changed, 14 insertions(+), 9 deletions(-)
diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index 0bb013a..c775f87 100644
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -13028,14 +13028,14 @@ value of &%daemon_smtp_ports%& is no longer relevant in this example.)
-.section "Support for the obsolete SSMTP (or SMTPS) protocol" "SECTsupobssmt"
+.section "Support for the SSMTP (or SMTPS) protocol" "SECTsupobssmt"
.cindex "ssmtp protocol"
.cindex "smtps protocol"
.cindex "SMTP" "ssmtp protocol"
.cindex "SMTP" "smtps protocol"
-Exim supports the obsolete SSMTP protocol (also known as SMTPS) that was used
-before the STARTTLS command was standardized for SMTP. Some legacy clients
-still use this protocol. If the &%tls_on_connect_ports%& option is set to a
+Exim supports the SSMTP protocol (also known as SMTPS) in addition to
+the STARTTLS command was standardized for SMTP.
+If the &%tls_on_connect_ports%& option is set to a
list of port numbers or service names,
connections to those ports must use SSMTP. The most
common use of this option is expected to be
@@ -16677,7 +16677,7 @@ Usable for GnuTLS 3.4.4 or 3.3.17 or OpenSSL 1.1.0 (or later).
.cindex SSMTP
.cindex SMTPS
This option specifies a list of incoming SSMTP (aka SMTPS) ports that should
-operate the obsolete SSMTP (SMTPS) protocol, where a TLS session is immediately
+operate the SSMTP (SMTPS) protocol, where a TLS session is immediately
set up without waiting for the client to issue a STARTTLS command. For
further details, see section &<<SECTsupobssmt>>&.
@@ -26286,10 +26286,15 @@ waiting for a STARTTLS command from the client using the standard SMTP
port. The protocol was called &"ssmtp"& or &"smtps"&, and port 465 was
allocated for this purpose.
-This approach was abandoned when encrypted SMTP was standardized, but there are
-still some legacy clients that use it. Exim supports these clients by means of
-the &%tls_on_connect_ports%& global option. Its value must be a list of port
-numbers; the most common use is expected to be:
+Plain SSL for SMTP was officially deprecated in favor of the STARTTLS approach.
+You should consider though, that clients often use opportunistic STARTTLS and do
+not enforce TLS unconditionally. This makes the communication between those
+clients and server easily vulnerable to MITM attacks, which can suppress
+encyrption completely. For that reason some people still prefer SSMTP and do
+not enable SMTP via port 587 to mitigate the possibility of such MITM attacks.
+Exim supports smtps for clients by means of the &%tls_on_connect_ports%& global
+option. Its value must be a list of port numbers; the most common use is
+expected to be:
.code
tls_on_connect_ports = 465
.endd
--
2.4.2
