[Ach] Fwd: E-Mail Protocol Security Measurements

Pepi Zawodsky pepi.zawodsky at maclemon.at
Tue Jul 28 13:20:45 CEST 2015

> On 28 Jul 2015, at 11:11, Dahlberg, David <david.dahlberg at fkie.fraunhofer.de> wrote:
> ACH gives SMTPS configuration examples only for exim, but not for
> Postfix.
I’ll see what I can do to improve that.

> If it could be proved that there are indeed no MTAs that
> support 465, but no 25/STARTTLS, I would recommend removing 465 from
> the exim config.
465/tcp is an _inofficial_ port used for SMTP with implicit TLS rather than STARTTLS. While that has benefits it’s mostly ignored in my experience. I haven’t seen any default configs where that is still enabled, if configured at all but commented out.

Azet and me talked about this recently and this is about the conclusion we came to. Azet, please correct me should I have made a mistake in concluding.

Forcing STARTTLS over 25 for MTAs is the only way we can improve this situation in the short term. That requires the common large Email providers to require it by a certain date. Unless we see companies like Google/Gmail, GMX, United Internet (Web.de), Yahoo!, Microsoft Live Email (Hotmail), Apple (iCloud) and Facebook require it, I don’t have any hope to raise that to a global requirement since everyone must play with them.

Best regards
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.cert.at/pipermail/ach/attachments/20150728/097b9b63/attachment.sig>

More information about the Ach mailing list