SMTP Over TLS on Port 26 - Implicit TLS Proposal [Feedback Request]

• Previous message (by thread): 2019-01-11 ARIN.NET DNSSEC Outage – Post-Mortem (was: Re: ARIN NS down?)
• Next message (by thread): SMTP Over TLS on Port 26 - Implicit TLS Proposal [Feedback Request]
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hello NANOG, Belated new year wishes.

I would like to gather some feedback from you all.

I'm trying to propose two things to the Internet Standard and it's related
to SMTP.

(1) STARTTLS downgrade protection in a dead simple way

(2) SMTPS (Implicit TLS) on a new port (26). This is totally optional.

I posted my proposal in IETF mailing list. I got very good feedback there.
Some support my proposal. Many are against it.

I would love to know where you stand on this proposal. Let me give you the
abstract first.

-----

SMTP is still suffering from downgrade attacks like STRIPTLS. While we have
"Opportunistic TLS", we still don't have "Implicit TLS" in the SMTP.

Don't take this in the wrong way. We do have "Implicit TLS" for "SMTP
Submission" on port 465. But we don't have a secure port 25 alternative.
i.e. The real SMTPS

Both MTA-STS and MTA-DANE tries to fix the STARTTLS downgrade issue.
However the implementation is not simple. The former requires a HTTPS
server and the latter requires DNSSEC to even get started.

This proposal fixes STARTTLS downgrade issue and propose a new port 26, an
"Implicit TLS" alternative for port 25 and recommends the MX server to
signal the port via a prefix.

This proposal offers two ways.

(1) STARTTLS Prefix

Use this prefix only to deal with STARTTLS downgrade issue.

e.g. mx1.example.com should be prefixed like starttls-mx1.example.com.

Where "starttls-" says "Our port 25 supports Opportunistic TLS. So if
STARTTLS command not found in the EHLO response or certificate is invalid,
then drop the connection".

(2) SMTPS Prefix

Use this prefix if you wanna support Implicit TLS on port 26 and
Opportunistic TLS on port 25.

e.g. mx1.example.com should be prefixed like smtps-mx1.example.com.

Where "smtps-" says "We prefer if you connect to our SMTPS in port 26. But
we also accept mails in port 25. And our port 25 supports Opportunistic
TLS. So if STARTTLS command not found in the EHLO response or certificate
is invalid, then drop the connection".

In "starttls-" prefix port 25 *MUST* support encryption with *valid SSL*
certificates.

In "smtps-" prefix, *BOTH* port 26 and port 25 *MUST* support encryption
with *valid SSL* certificates.

Note: You need to enable DNSSEC to prevent MX record spoofing. My proposal
highly recommends DNSSEC. Not mandates that.

-------

What IETF Mailing list thinks? - "Implicit TLS doesn't offer any additional
security than a downgrade protected STARTTLS. Let's not waste a port."

What I think? - Implicit TLS still fall under the "best practices". So it
will send out the positive vibe that IETF still cares about email security.

What the world thinks? -
https://gist.github.com/mistergiri/138fc46ae401b7492662a32409edb07f

What do you all think? -
https://medium.com/@dombox/smtp-over-tls-on-port-26-efc67e8a99ce

-- 
Best Regards,

Viruthagiri Thirumavalavan
Dombox, Inc.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20190111/b0461dc8/attachment.html>

• Previous message (by thread): 2019-01-11 ARIN.NET DNSSEC Outage – Post-Mortem (was: Re: ARIN NS down?)
• Next message (by thread): SMTP Over TLS on Port 26 - Implicit TLS Proposal [Feedback Request]
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]