Viktor Dukhovni via Postfix-users wrote in <z3fpxpgjre7jz...@chardros.imrryr.org>: |On Sun, Dec 29, 2024 at 06:45:22AM +0100, Ralph Seichter via Postfix-users \ |wrote: |> * Steffen Nurpmeso via Postfix-users: |> |>> there is this IETF draft which asks for support SMTPS (aka really, |>> now), that is Implicit TLS via dedicated port for SMTP. |> |> Are you referring to [1], i.e. your own draft? "Nenne Ross und Reiter." |> |> [1] https://datatracker.ietf.org/doc/draft-nurpmeso-smtp-tls-srv/02/ |> |>> only one EHLO, no STARTTLS roundtrip. |> |> For the cost of an additional DNS lookup, plus the cost of setting up |> the necessary RR, plus the cost for opening another firewall port. I see |> only additional work and hassle, but neither gain nor advantage over the |> existing STARTTLS. The way I percieve it, this attempt to get rid of |> STARTTLS is a "solution" for an imaginary problem. |> |>> Jeremy Harris of course said that it will not become part of the |>> regular "codebase unless there is obvious community interest", and |>> so i am asking whether postfix would be interested in this. |> |> I am not interested, but of course I don't speak for Postfix or the |> community in general. | |I don't think this is the way forward. If you reall want to go there, |then replace SRV with SVCB records, where additional keywords (rather |than odd port overloads) can convey protocol information such as TLS |support, perhaps also signal DANE support, ...
Definitely not, in my opinion. SVCB requires a completely different parser and is open ended, whereas SRV is already implemented, and it could be Wietse or you could get that SRV for also SMTP working in 15 minutes, or maybe 30 with iteration and recheck. You do not need more than this SRV that everybody else uses, too. And SVCB is in my not supported everywhere, and i definitely will not change my hoster, as you say below, because of that. Maybe one that restarts three mile island to gain its energy even. If you can drive your own name server then nothing prevents bundling a TLSA record when answering such a SRV for port 26, i would hope to be able to think. Btw why do you say "odd"? SRV has the possibility for port 0 ever since it was created, yet port 0 never was a valid port. So to the contrary even (hah!) we finally live it in full, what was only envisioned in the past. If that isn't progress, i do not know. Of course you have been it who messed it by placing dozens of MUST in your SMTP DANE RFC, including MUST for TLS, but then continuing the use of STARTTLS! The priviledged ports are open anyway, i hate that i know but you do not know shit regarding that "open another port on the firewall" by the way, what nonsense that is .. the new draft asks for fixed port 26 so that firewalls can apply a rigid policy on its misuse, i should have done that from the beginning, i always failed to understand why no dedicated port was offered to SMTPS, that is what was bogus from the start. |As for lack of DNSSEC and TLSA support from your current DNS provider, |you don't need to go self-hosted, just get yourself a better provider, |there are many to choose from. | | - one.com | - transip.nl | - ovh.net | - gandi.net | ... They will come over with it at times. To say it in German, "Ich gehe nicht über die Wupper", where one of their places is Wuppertal where this hm river flows. (And the meaning is that this thing was so poisening in the past that noone dared to cross it, which is the saying. I could be mistaken here however.) --steffen | |Der Kragenbaer, The moon bear, |der holt sich munter he cheerfully and one by one |einen nach dem anderen runter wa.ks himself off |(By Robert Gernhardt) | |In Fall and Winter, feel "The Dropbear Bard"s pint(er). | |The banded bear |without a care, |Banged on himself for e'er and e'er | |Farewell, dear collar bear _______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
