Re: [exim] Closing off Port to non-SSL traffic

Góra strony
Delete this message
Reply to this message
Autor: Andrew C Aitchison
Data:  
Dla: Mark Elkins
CC: exim-users
Temat: Re: [exim] Closing off Port to non-SSL traffic
On Sun, 26 Jun 2022, Mark Elkins via Exim-users wrote:

> Seems I need to do more learning....
>
> On 6/26/22 9:19 AM, Andrew C Aitchison via Exim-users wrote:
>> On Sat, 25 Jun 2022, Mark Elkins via Exim-users wrote:
>>
>>> Not sure if I'm missing the boat or what but - for one of my users to send
>>> email - they must use mail Submission port 587 - and nothing else. That's
>>> on a server that only listens on port 587. This works fine until a user
>>> "shares" their password. I also have a script that looks how many emails
>>> are in the Send queue and get excited if it grows too large. They use Port
>>> 587 with STARTTLS encryption.
>>>
>>> My users can not send mail via port 25 (or 465) with User authentication
>>> by design - on the other mail server that they fetch (POP3@995/IMAP@993)
>>> mail from.
>>
>> I am curious. Why do you not allow your users to user port 465 ?
>> RFC 8314 https://datatracker.ietf.org/doc/html/rfc8314#section-7.3
>> repurposed this as a mail *submission* port with Implicit TLS.
>
> Very simply - looking in /etc/systems gives me.... (Am running Gentoo Linux -
> basically an up to date version)
>
> $ egrep '25|465|587' /etc/services
> smtp        25/tcp        mail        # Simple Mail Transfer
> smtp        25/udp
>
> urd        465/tcp        smtps ssmtp    # URL Rendesvous Directory for SSM /
> smtp protocol over TLS/SSL
> igmpv3lite    465/udp        smtps ssmtp    # IGMP over UDP for SSM
>
> submission    587/tcp                # mail message submission
> submission    587/udp
>
> Reading RFC 8314 https://datatracker.ietf.org/doc/html/rfc8314#section-7.3 -
> it seems there is confusion over the use of this port. I've always assumed
> that some MTA clients may use port 465 - rather than using port 25.
>
> Port 587 has always been the mail submission port - friends confirmed this to
> me.


I only learnt of rfc8314 this month :-)

Originally Microsoft (IIRC) started using tcp/465 for submission over TLS
but did not register the port with the IETF, so it was later registered
for something else (from your /etc/services it looks like urd)
but tcp/465 continued to be used for submission over TLS and eventually
rfc8314 happened.

>> If your users could submit on 465 they would not be susceptible to
>> more than 40 vulnerabilities in STARTTLS implementations
>> https://nostarttls.secvuln.info/
>
> Reading the above - looks like I'm wrong and should also (or rather) run port
> 465 on my incoming (SMTP-Relay) mail servers. I assume that just means
> enabling that port?
> Users should then set SSL/TLS encryption on port 465? (which means me talking
> to all of them)
>
> (I'd appreciate an answer on this)


That looks good.

The main (global) configuration option settings section should have:
     daemon_smtp_ports = 25 : 465 : 587
     tls_on_connect_ports = 465
- remember to restart exim after updating.
You can use names from /etc/services here;
I don't know if the Debian config has a preferred way of doing it.
Once you have no desirable traffic on 587 you could remove it.


Yes, you will need to talk to your users; at least the Microsoft ones
will probably find they are setting something back towards the defaults.

> Would also love to know why then can we still run STARTTLS on port 587 - if
> it is so insecure?


You might wish to read most of rfc8314. It was only ratified four and a half
years ago. As it says in section 3.3
    Note that there is no significant difference between the security
    properties of STARTTLS on port 587 and Implicit TLS on port 465 if
    the implementations are correct and if both the client and the server
    are configured to require successful negotiation of TLS prior to
    Message Submission.
- the issue is "if the implementations are correct".
It is only a year since "NoSTARTTLS" was published and 587 is very
widely used. Earlier in section 3.3, rfc8314 does suggest transitioning
MUA software to Implicit TLS *over time*.


> Just convert it to an immediate TLS,


You should definitely read RFC8314 Appendix A:
https://www.rfc-editor.org/rfc/rfc8314.html#appendix-A

> or even make both options (Immediate TLS and STARTTLS) available?


I think trying to code both over the same port would produce even more bugs,
especially as one use would be handled by the tls library and one by the
mail server directly.

> Am running:- Exim version 4.94.2,  4.95 should be arriving soon.

4.96 came out this week, should you wish to work a little harder.

-- 
Andrew C. Aitchison                      Kendal, UK
                    andrew@???