[Ach] Fwd: E-Mail Protocol Security Measurements
sebix at sebix.at
Tue Jul 28 22:29:01 CEST 2015
-----BEGIN PGP SIGNED MESSAGE-----
On 07/28/2015 09:21 PM, micah wrote:
> Aaron Zauner <azet at azet.org> writes:
>>> Maybe you should have a look at how many of the servers that support
>>> SMTPS do not support STARTTLS on port 25 (MTA) or 287 (MSA)? Or put
>>> differently: Is there still any valid reason to offer 465? According to
>>> my limited experience there isn't. But OTOH I do not run a big mail
>> 465 has been deprecated by IANA back a long time ago ('98 if I remember
>> correctly). You should use 587.
>> Implicit TLS is still a better choice than STARTTLS im my opinion
>> (stripping, filtering..).
> I dont understand why both XMPP and SMTP decided to go the route of
> deprecating tls-wrapped options and instead only do STARTTLS. This seems
> like a wrong approach.
> Even though 465 was deprecated by the IANA a long time ago, its still
> widely used for wrapped TLS. In fact, I use it for that purpose because
> I dont want to support a downgrade attack STARTTLS option.
In either case you don't know if the other server supports it, in case
you never connected to that particular host. The problem is the same IMHO.
You can ask an authority (DNS or other lists), which server should
support SMTPS or STARTTLS. But then you have the authority problem like
One possibility is to remember what the server supported last time. The
similar approach like CertPatrol. But again that's no real solution.
Implementing/deploying TLS wrappers is easier than STARTTLS, yes
> Ach mailing list
> Ach at lists.cert.at
> python programming - mail server - photo - video - https://sebix.at
> To verify my cryptographic signature or send me encrypted mails, get my
> key at https://sebix.at/DC9B463B.asc and on public keyservers.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)
-----END PGP SIGNATURE-----
More information about the Ach