Ahoj, Dňa Sun, 26 Jun 2022 15:52:56 +0200 Mark Elkins via Exim-users <exim-users@exim.org> napísal:
> urd 465/tcp smtps ssmtp # URL Rendesvous Directory > for SSM / smtp protocol over TLS/SSL > igmpv3lite 465/udp smtps ssmtp # IGMP over UDP for SSM > > submission 587/tcp # mail message submission > submission 587/udp Your (gentoo's) services file is outdated, debian has for some years already (10 Feb 2019 -- changelog): grep 465 /etc/services submissions 465/tcp ssmtp smtps urd # Submission over TLS [RFC8314] If you want, you can report it to gentoo, here is related bugreport https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=916633 > https://datatracker.ietf.org/doc/html/rfc8314#section-7.3 - it seems > there is confusion over the use of this port. I've always assumed > that some MTA clients may use port 465 - rather than using port 25. Not MAY, they SHOULD (if they support it), the 587 is as fallback for old clients only, the 25/tcp is deprecated for MUAs for years... > Users should then set SSL/TLS encryption on port 465? (which means me > talking to all of them) Sure, send email them, phone them, meet them... And then wait some time (weeks, months, ...), then close 587... As i noted elsewhere, i don't allow clients connections to 25 nor 587 at least for two years... First setup everything about 465 port, then inform clients, of course. Doing it vice versa will make confusion only. > Would also love to know why then can we still run STARTTLS on port > 587 - if it is so insecure? Just convert it to an immediate TLS, or > even make both options (Immediate TLS and STARTTLS) available? STARTTLS is not insecure, it is less secure than implicit TLS only. STARTTLS is still enough for inter MTA connections (pure SMTP, not Submission) -- or more precise, better than nothing. But a lot of people do not distinguish between SMTP and Submission (perhaps because Submission uses SMTP) a lot of confusion comes into play. Beware, switching from 25/587 to 465 itself doesn't stop AUTH nor other attacks. Attackers are able to use TLS nowadays... regards -- Slavko https://www.slavino.sk
pgp1qw181XjY8.pgp
Description: Digitálny podpis OpenPGP
-- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/