SMTP Over TLS on Port 26 - Implicit TLS Proposal [Feedback Request]

• Previous message (by thread): SMTP Over TLS on Port 26 - Implicit TLS Proposal [Feedback Request]
• Next message (by thread): SMTP Over TLS on Port 26 - Implicit TLS Proposal [Feedback Request]
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, 11 Jan 2019 at 22:51, Suresh Ramasubramanian
<ops.lists at gmail.com> wrote:
> Any place that has a TLS misconfig will pretty much notice it very quickly indeed

I disagree.

Plenty of evidence that Microsoft/Hotmail doesn't notice / doesn't
care.  Many people don't notice / don't care about Hotmail, either.

Gmail doesn't care either, because it'll be the small parties that'll
notice and would probably care.

> Opportunistic just means use TLS if it is advertised as available else continue encrypted.  Not sure why encountering a starttls negates it.

I'm pretty certain it's only in the TLS world where "opportunistic"
means to use it even if it doesn't actually work, just because it's
advertised as (potentially) available.

C.

[…]
> --srs
>
> ________________________________
> From: Constantine A. Murenin <mureninc at gmail.com>
> Sent: Saturday, January 12, 2019 10:08 AM
> To: Suresh Ramasubramanian
> Cc: nanog at nanog.org
> Subject: Re: SMTP Over TLS on Port 26 - Implicit TLS Proposal [Feedback Request]
>
> On Fri, 11 Jan 2019 at 22:00, Suresh Ramasubramanian
> <ops.lists at gmail.com> wrote:
> > Most new MTA implementations over the past several years default to TLS with strong ciphers. So how much of a problem is low or no TLS right now?
>
> The real problem is that opportunistic StartTLS stops being
> opportunistic the minute you encounter a `STARTTLS` extension on
> `EHLO`.
>
> At that point and henceforth, TLS is pretty much 100% mandatory.
>
> What happens if there are SSL negotiation failures? I'll tell you
> what happens — the sender will receive a few bounces, X hours and Y
> days after sending the mail; recipient doesn't receive anything at
> all. (Unless, of course, one of the administrators would magically
> decide to change the SSL options in the meantime to be compatible, or
> to disable the "opportunistic" StartTLS to start with, before the
> final bounce gets generated by the MTA of the sender.)
>
> These problems are real. They're already happening today. StartTLS
> being "opportunistic" is a pretty big scam.
>
> C.

• Previous message (by thread): SMTP Over TLS on Port 26 - Implicit TLS Proposal [Feedback Request]
• Next message (by thread): SMTP Over TLS on Port 26 - Implicit TLS Proposal [Feedback Request]
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]