On Mon, Jan 22, 2024 at 02:57:16PM -0500, Bill Cole via Postfix-users wrote:
> The reason implicit TLS isn't useful for SMTP (MTA-MTA) use is that port 25
> must always be backwards-compatible and so MUST start with a plaintext
> server greeting, NOT a TLS handshake. Establishing a new secure port would
> mean either every MTA trying to connect twice to sites that have yet to
> upgrade or we'd have to finally switch to SRV records for SMTPS, forcing
> every MTA to replace its whole DNS logic. Also, the info disclosure of
> MTA-MTA STARTTLS vs implicit TLS is less meaningful than it is for MUA-MTA,
> where it exposes end user info.
Perhaps, some day, someone will specify a SVCB profile for MTA-to-MTA
SMTP, and this could finally carry enough information to signal implicit
TLS on a suitable port. For now, there is little reason to go there,
STARTTLS is quite adequate for server-to-server SMTP.
--
Viktor.
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
