SMTP Over TLS on Port 26 - Implicit TLS Proposal [Feedback Request]

• Previous message (by thread): SMTP Over TLS on Port 26 - Implicit TLS Proposal [Feedback Request]
• Next message (by thread): SMTP Over TLS on Port 26 - Implicit TLS Proposal [Feedback Request]
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, 11 Jan 2019 at 20:01, William Herrin <bill at herrin.us> wrote:
>
> On Fri, Jan 11, 2019 at 5:52 PM Viruthagiri Thirumavalavan
> <giri at dombox.org> wrote:
> >> In addition, it bypasses all the security folks have built around the
> >> idea of blocking port 25 traffic from sources which should not be
> >> operating as mail servers. Let's not make the network less secure in
> >> the name of making it more so.
> >
> > I already addressed this issue in the "security considerations" section.
> >
> > "Port 26 will be a secure alternative for Port 25. So Internet Service Providers are adviced to take precautions to prevent email spam abuse. They are advised to block port 26, if necessary."
>
> While we're at it, let's deprecate IPv4 now that IPv6 is fully deployed.

100% agree.

If mx1.example.com is prefixed like ip6-smtps-mx1.example.com, then
mail should only be deliverable to the domain if all of ports 25, 26
and 27 support TLS with <blink>valid SSL</blink> certificates over
<blink><blink><big><big><big>IPv6</big></big></big></blink></blink>.

Why? Because I think there's too much confusion between the same ports
working on both IPv4 and IPv6, and with Happy-Eyeballs, no certainty
which protocol would be used; resulting in downgrade-to-IPv4 attacks
in certain situations.  For this reason, we should use port 27 in
order to guarantee that the connection will happen iff
(if-and-only-if) it can be established over IPv6, so that there's no
confusion.  We can then use port 26 to send out reports of mail being
undeliverable over IPv6 with TLS, and port 25 to send out bounces of
bounces, which still has to support opportunistic StartTLS, in case we
still get TLS errors on port 26 trying to deliver the bounces over
IPv4 over TLS.  Does this cover every possible scenario, or does
anyone think we gotta use a few more ports?

Hopefully, this'll teach folks like CogentCo to get their IPv6 peering
act together; especially if we get Google with Gmail and G Suite on
board, and Cogent will suddenly stop getting their mails from pretty
much all of their customers due to all the peering disputes with
pretty much the rest of the IPv6 internet.

I posted my proposal to the IPv6 zealots Slack channel.  I got very
good feedback there. Many support my proposal. Some are against it.

C.

• Previous message (by thread): SMTP Over TLS on Port 26 - Implicit TLS Proposal [Feedback Request]
• Next message (by thread): SMTP Over TLS on Port 26 - Implicit TLS Proposal [Feedback Request]
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]