Re: [exim] Closing off Port to non-SSL traffic

Góra strony
Delete this message
Reply to this message
Autor: Slavko
Data:  
Dla: exim-users
Temat: Re: [exim] Closing off Port to non-SSL traffic
Ahoj,

Dňa Sun, 26 Jun 2022 15:52:56 +0200 Mark Elkins via Exim-users
<exim-users@???> napísal:

> urd        465/tcp        smtps ssmtp    # URL Rendesvous Directory
> for SSM / smtp protocol over TLS/SSL
> igmpv3lite    465/udp        smtps ssmtp    # IGMP over UDP for SSM
>
> submission    587/tcp                # mail message submission
> submission    587/udp


Your (gentoo's) services file is outdated, debian has for some years
already (10 Feb 2019 -- changelog):

    grep 465 /etc/services 
    submissions    465/tcp        ssmtp smtps urd # Submission over TLS [RFC8314]


If you want, you can report it to gentoo, here is related bugreport
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=916633

> https://datatracker.ietf.org/doc/html/rfc8314#section-7.3 - it seems
> there is confusion over the use of this port. I've always assumed
> that some MTA clients may use port 465 - rather than using port 25.


Not MAY, they SHOULD (if they support it), the 587 is as fallback for
old clients only, the 25/tcp is deprecated for MUAs for years...

> Users should then set SSL/TLS encryption on port 465? (which means me
> talking to all of them)


Sure, send email them, phone them, meet them... And then wait some time
(weeks, months, ...), then close 587... As i noted elsewhere, i
don't allow clients connections to 25 nor 587 at least for two years...

First setup everything about 465 port, then inform clients, of course.
Doing it vice versa will make confusion only.

> Would also love to know why then can we still run STARTTLS on port
> 587 - if it is so insecure? Just convert it to an immediate TLS, or
> even make both options (Immediate TLS and STARTTLS) available?


STARTTLS is not insecure, it is less secure than implicit TLS only.
STARTTLS is still enough for inter MTA connections (pure SMTP, not
Submission) -- or more precise, better than nothing. But a lot of people
do not distinguish between SMTP and Submission (perhaps because
Submission uses SMTP) a lot of confusion comes into play.

Beware, switching from 25/587 to 465 itself doesn't stop AUTH nor other
attacks. Attackers are able to use TLS nowadays...

regards

--
Slavko
https://www.slavino.sk