Re: [exim] Closing off Port to non-SSL traffic

Góra strony
Delete this message
Reply to this message
Autor: Viktor Dukhovni
Data:  
Dla: exim-users
Temat: Re: [exim] Closing off Port to non-SSL traffic
On Sun, Jun 26, 2022 at 03:52:56PM +0200, Mark Elkins via Exim-users wrote:

> > I am curious. Why do you not allow your users to user port 465 ?
> > RFC 8314 https://datatracker.ietf.org/doc/html/rfc8314#section-7.3
> > repurposed this as a mail *submission* port with Implicit TLS.
>
> Reading RFC 8314
> https://datatracker.ietf.org/doc/html/rfc8314#section-7.3 - it seems
> there is confusion over the use of this port. I've always assumed that
> some MTA clients may use port 465 - rather than using port 25.


No.

    * MTA-to-MTA SMTP relay is always over port 25.
    * Port 465 was always MUA-to-MTA submission.


This is because MX records don't signal port numbers, only
host names, so the port number MUST be a prior fixed value.

This of course does not prevent "private" arrangements where some
particular MTAs relay some mail via port 465 to some other *specific*
MTAs under suitable conditions (particular envelope or content
features). Such arrangements would always be local policy exceptions to
how email is routed over the public Internet (as specified in RFC5321).

> Port 587 has always been the mail submission port - friends confirmed
> this to me.


Friends make mistakes. The authoritative sources are:

    https://www.rfc-editor.org/rfc/rfc2476
    https://www.rfc-editor.org/rfc/rfc4409
    https://www.rfc-editor.org/rfc/rfc6409
    https://www.rfc-editor.org/rfc/rfc5068


The use of 465 for submission over TLS was a non-standard Microsoft
Exchange/Outlook feature for many years, only recently elevated to
standard in https://www.rfc-editor.org/rfc/rfc8314

> Reading the above - looks like I'm wrong and should also (or rather) run
> port 465 on my incoming (SMTP-Relay) mail servers.


No. SMTP relay servers are MTA-to-MTA SMTP, and so unavoidable on port 25.

Only submission is on ports 687 and 465.

> I assume that just means enabling that port?


Well, it has to be configured correctly, with TLS wrapping the use of
the SMTP protocol, rather that the SMTP protocol facilitating TLS via
STARTTLS.

> Users should then set SSL/TLS encryption on port 465? (which means me
> talking to all of them)


Or just let them choose. Gradually, more of them will organically move
to 465, and you (or who ever you saddle with the burden) can "talk" to
the long-tail users in 10 years or so.

> Would also love to know why then can we still run STARTTLS on port 587
> - if it is so insecure?


It isn't. And the risks are not to SMTP servers and clients, but rather
to web browsers and the like that can be convinced to misinterpret
reflected text in error messages.

The basic issue of injection of buffered pre-TLS cleartext into a post
STARTTLS session was resolved in Postfix and IIRC also Exim quite some
time ago. So there's little reason to avoid port 587 with these MTAs.

Various other STARTTLS implementations (in IMAP servers, and less
mainstream SMTP servers) might not have gotten the memo, but you
should be fine.

-- 
    Viktor.