[Ach] Fwd: E-Mail Protocol Security Measurements

Hanno Böck hanno at hboeck.de
Tue Jul 28 22:47:49 CEST 2015


On Tue, 28 Jul 2015 15:21:54 -0400
micah <micah at riseup.net> wrote:

> I dont understand why both XMPP and SMTP decided to go the route of
> deprecating tls-wrapped options and instead only do STARTTLS. This
> seems like a wrong approach.
> Even though 465 was deprecated by the IANA a long time ago, its still
> widely used for wrapped TLS. In fact, I use it for that purpose
> because I dont want to support a downgrade attack STARTTLS option.

I tried to check whether I could deprecate the old ports on my servers
and at some point decided that the deprecation basically is not
happening. I don't have the exact versions, but some outlook version
(maybe even the latest) that I didn't expect to be deprecated any time
soon only spoke the old ports (not sure if that was for smtp, pop3 or

And I agree: They're basically the better solution. As I don't see
anyone *really* deprecating the old ports I decided for myself that
I'll just stick with them.

STARTTLS is risky, because there are mail apps out there that will by
default use "STARTTLS if available". That means they'll do STARTTLS,
but if the server doesn't support it they'll happily fall back to plain
text. It's on my "interesting project I could do at some point"-list to
do a check of famous mail client apps how they behave if you configure
a starttls connection and then suddenly disable support on the server.
If anyone wants to take that project feel free :-)

Hanno Böck

mail/jabber: hanno at hboeck.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.cert.at/pipermail/ach/attachments/20150728/582c328d/attachment.sig>

More information about the Ach mailing list