[go: up one dir, main page]
|
|
Log in / Subscribe / Register

STARTTLS considered harmful

STARTTLS considered harmful

Posted Aug 18, 2021 10:15 UTC (Wed) by taladar (subscriber, #68407)
In reply to: STARTTLS considered harmful by james
Parent article: STARTTLS considered harmful

Nobody is saying STARTTLS should be replaced by unencrypted connections. This is about immediately encrypted SMTP vs. unencrypted connections upgraded via STARTTLS.

to post comments

STARTTLS considered harmful

Posted Aug 18, 2021 10:54 UTC (Wed) by james (guest, #1325) [Link] (11 responses)

Immediately encrypted SMTP is not a thing, as far as transfer across the Internet to an MX server is concerned. It could be, but you'd have to start by getting a port reserved -- and then persuade everyone to use it.

You would not want to re-use 465: there are good reasons, including firewalling and spam filtering, to be able to distinguish message submission from message transfer. For example, port 25 is widely blocked or rerouted in firewalls, whereas 465 or another port wouldn't be. That means if people started having MX servers listening on port 465 (or another port), spammers would be able to send spam from compromised PCs on networks that block port 25 but don't block 465. It would be possible to filter the majority of that out, at the cost of CPU time, memory usage and bandwidth: this isn't exactly appealing to MX server operators.

The alternatives I'm worried about are proprietary messaging protocols using custom software or web-based message portals, possibly with email notification that "there is a message for you to read". Senders can roll that out without waiting for the Internet to adopt a new protocol.

STARTTLS considered harmful

Posted Aug 18, 2021 11:22 UTC (Wed) by Jonno (guest, #49613) [Link] (2 responses)

> You would not want to re-use 465: there are good reasons, including firewalling and spam filtering, to be able to distinguish message submission from message transfer.

Yes, that is why port 25 & 465 is designated for message *transfer*, while port 587 is designated for message *submission*.

STARTTLS considered harmful

Posted Aug 18, 2021 17:57 UTC (Wed) by james (guest, #1325) [Link]

Unfortunately, even if port 465 is designated for message transfer, it's used for message submission, making it unsuitable for use as a message transfer port for the reasons I indicated.

STARTTLS considered harmful

Posted Aug 19, 2021 9:54 UTC (Thu) by jschrod (subscriber, #1646) [Link]

RFC 8313 says otherwise; 465 is a submission port.

https://datatracker.ietf.org/doc/html/rfc8314#section-7.3

STARTTLS considered harmful

Posted Aug 18, 2021 19:51 UTC (Wed) by miquels (guest, #59247) [Link] (7 responses)

> You would not want to re-use 465

Too late. Has already been done. It is officially registered at IANA as "message Submission over TLS protocol".

Port 465 used to be implicit SMTP over TLS, "smtps", but since you cannot indicate using an MX record that your server wants to accept mail on TLS/465 instead of plain/25, this was revoked. Port 465 was assigned to another service. However, lots of client software was already using port 465 for mail submission, so port 465 was resurrected and is now "submissions" (submission s).

This is described in more detail in https://datatracker.ietf.org/doc/html/rfc8314#section-7.3 .

STARTTLS considered harmful

Posted Aug 19, 2021 8:50 UTC (Thu) by chris_se (subscriber, #99706) [Link] (1 responses)

Interesting.

I do remember though that I've been behind countless firewalls that blocked both 25 and 465 indiscriminately (in order to hinder clients from directly sending spam from that network), which is why I've only ever used 587 (with STARTTLS) for authenticated mail submission since at least 2008 or so. Has your experience with port 465 been any better in more recent years?

STARTTLS considered harmful

Posted Aug 19, 2021 19:09 UTC (Thu) by miquels (guest, #59247) [Link]

> Has your experience with port 465 been any better in more recent years?

Well yes, at my ISP all of 25/465/587 work, and large mail providers like gmail etc are also not a problem.
Now I actually happen to work at said ISP as well :) so I just asked our main mail guy for some numbers as to the relative usage of 25/465/587 on our SMTP submission servers. That is, the servers that our customers connect to to send outgoing mail. Note that we require clients to always use TLS, either STARTTLS on 25 or 587, or implicit on 465. 

port  % of connections
25	60.5
465	24.8
587	14.6

STARTTLS considered harmful

Posted Aug 19, 2021 18:28 UTC (Thu) by NYKevin (subscriber, #129325) [Link] (4 responses)

> Port 465 used to be implicit SMTP over TLS, "smtps", but since you cannot indicate using an MX record that your server wants to accept mail on TLS/465 instead of plain/25, this was revoked. Port 465 was assigned to another service.

I'm sure this made sense at the time, but by modern standards, this is dumb. They could've just invented a format and stuffed it into TXT records, or even just specified "try 465 first, and fallback to 25 if it fails."

(Yes, I know that resolving exotic DNS records such as TXT was a very questionable thing at the time they made this decision. I'm also aware that implicit fallback carries many of the same problems as STARTTLS. My point is that this is not a decision you would make today - in the long run, those are eventually-solvable problems, and "everything should be encrypted" is a much more widely accepted position now than it was at the time.)

STARTTLS considered harmful

Posted Aug 19, 2021 19:13 UTC (Thu) by miquels (guest, #59247) [Link] (2 responses)

> Yes, I know that resolving exotic DNS records such as TXT was a very questionable thing at the time they made this decision.

If only web browsers had asked for SRV records from the start, then usage of SRV would be much more wide spread and perhaps even mail servers would look at them. Oh well.

STARTTLS considered harmful

Posted Aug 19, 2021 21:35 UTC (Thu) by rodgerd (guest, #58896) [Link] (1 responses)

There are a lot of what-ifs. What if the MX priority record had been generalised so that other protocols baked failover in, doing away the pain of faking it with short TTLs and similar hackery.

STARTTLS considered harmful

Posted Aug 19, 2021 23:00 UTC (Thu) by tialaramex (subscriber, #21167) [Link]

There is more activity today in DNS because of DPRIVE and other work (which has the purpose of improving privacy, but the effect of reducing the impact of rusted-in-place "security" appliances) than we were seeing through say the 1990s or 2000s. SVCB and HTTPS records provide a much richer feature set than generalising MX, indeed the intention as I understand it is that HTTPS will contain enough information that your client can go from "I want https://clown-porn.example.com/" to a set of IPv4 or IPv6 addresses, TCP or UDP port numbers, keys to encrypt initial setup and a masking name like only-cats.example.com in a single DNS request so that it's then equipped to do an encrypted HTTP transaction to the URL you wanted, no further extra roundtrips.

The next generation happy eyeballs algorithms are trying to guess in advance whether to try say, IPv6 QUIC to server A or go with IPv4 TLS to server B or just do both and throw away whichever was slowest, learning from recent experience.

STARTTLS considered harmful

Posted Aug 21, 2021 14:29 UTC (Sat) by HenrikH (subscriber, #31152) [Link]

Try 465 first and then 25 if it fails would be open to MITM blocking just like STARTTLS, not to mention the added latency.


Copyright © 2026, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds