Re: [exim] Closing off Port to non-SSL traffic

Top Page
Delete this message
Reply to this message
Author: Mark Elkins
Date:  
To: exim-users
Subject: Re: [exim] Closing off Port to non-SSL traffic
Seems I need to do more learning....

On 6/26/22 9:19 AM, Andrew C Aitchison via Exim-users wrote:
> On Sat, 25 Jun 2022, Mark Elkins via Exim-users wrote:
>
>> Not sure if I'm missing the boat or what but - for one of my users to
>> send email - they must use mail Submission port 587 - and nothing
>> else. That's on a server that only listens on port 587. This works
>> fine until a user "shares" their password. I also have a script that
>> looks how many emails are in the Send queue and get excited if it
>> grows too large. They use Port 587 with STARTTLS encryption.
>>
>> My users can not send mail via port 25 (or 465) with User
>> authentication by design - on the other mail server that they fetch
>> (POP3@995/IMAP@993) mail from.
>
> I am curious. Why do you not allow your users to user port 465 ?
> RFC 8314 https://datatracker.ietf.org/doc/html/rfc8314#section-7.3
> repurposed this as a mail *submission* port with Implicit TLS.


Very simply - looking in /etc/systems gives me.... (Am running Gentoo
Linux - basically an up to date version)

$ egrep '25|465|587' /etc/services
smtp        25/tcp        mail        # Simple Mail Transfer
smtp        25/udp

urd        465/tcp        smtps ssmtp    # URL Rendesvous Directory for
SSM / smtp protocol over TLS/SSL
igmpv3lite    465/udp        smtps ssmtp    # IGMP over UDP for SSM

submission    587/tcp                # mail message submission
submission    587/udp

Reading RFC 8314
https://datatracker.ietf.org/doc/html/rfc8314#section-7.3 - it seems
there is confusion over the use of this port. I've always assumed that
some MTA clients may use port 465 - rather than using port 25.

Port 587 has always been the mail submission port - friends confirmed
this to me.


> If your users could submit on 465 they would not be susceptible to
> more than 40 vulnerabilities in STARTTLS implementations
> https://nostarttls.secvuln.info/


Reading the above - looks like I'm wrong and should also (or rather) run
port 465 on my incoming (SMTP-Relay) mail servers. I assume that just
means enabling that port?
Users should then set SSL/TLS encryption on port 465? (which means me
talking to all of them)

(I'd appreciate an answer on this)

Would also love to know why then can we still run STARTTLS on port 587 -
if it is so insecure? Just convert it to an immediate TLS, or even make
both options (Immediate TLS and STARTTLS) available?

Thank you!

> [ I should document CVE-2021-38371:
>  before exim 4.95 exim probably was exposed to a man-in-the
>  middle attack on STARTTLS when *sending* email, though it
>  it is not clear how it could have been exploited.
>  However a change which was included in 4.95 happened
>  to fix the problem.
> ]


Am running:- Exim version 4.94.2,  4.95 should be arriving soon.

--

Mark James ELKINS  -  Posix Systems - (South) Africa
mje@???       Tel: +27.826010496 <tel:+27826010496>
For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za
<https://ftth.posix.co.za>