Remote email access
Eliot Lear
lear at cisco.com
Fri Jan 31 03:25:05 UTC 2003
It's a rare day when I differ with Dave over mail standards, so
something's weird.
Dave Crocker wrote:
> Some current choices:
>
> Email standards provide for posting of email to the usual port 25 or to
> port 773 for the newer "submit" service. (Submit is a clone of SMTP that
> operates on a different port and is permitted to evolve independently of
> SMTP, in order to tailor posting by originators, differently from
> server-to-server email relaying.) There is also a de facto standard for
> doing SMTP over SSL on port 465, although this collides with the IANA
> assignment of that port to another service.
The submission port, according to IANA is 587. I'm not a fan. I also
think experience has shown that it is POSSIBLE to protect port 25
appropriately. It's just a matter of doing it...
See http://www.iana.org/assignments/port-numbers
>
> Standardized SMTP authentication uses the SMTP Auth command or the SASL
> service within SMTP. It can also use the de fact "POP hack". All 3 of
> these mechanisms are inline -- as part of the posting protocol -- so
> that they work over whatever port is being used for posting.
>
> Standardized privacy for SMTP uses SMTP over SSL or it uses SMTP with
> SASL. SASL can be used on any SMTP or Submit port. SSL can only be
> used on port 25 if the SMTP service is not available to other SMTP
> servers for relaying (or, really, for last-hop SMTP delivery).
Although Dave is correct about SSL, RFC 3207 discusses the use of TLS
for purposes of encryption AND authentication. I use this for my own
sendmail. The biggest problem is ensuring that appropriate certificates
are installed. Most of the common MUAs I tested have a way to do it,
but it's messy (to say the least).
Eliot
More information about the NANOG
mailing list