On Fri, 21 May 2010 15:26:33 -0400 Phil Howard <ttip...@gmail.com> wrote:
> On Fri, May 21, 2010 at 14:48, Matt Hayes <domin...@slackadelic.com> > wrote: > > > On 5/21/2010 2:33 PM, Phil Howard wrote: > > > I'm trying to find out what port is to be used with "always on" > > > SSL/TLS (e.g. no STARTTLS command needed, it just does SSL/TLS > > > once the TCP connection is made, which I understand > > > smtpd_tls_wrappermode=yes will do), and the RFCs are coming up > > > empty. I thought it was 587. But RFC4409 doesn't say if this > > > is, or is not, SSL/TLS. Some mail clients are using 465 by > > > default, but that isn't even official for anything email > > > related. Anyone know where this port 465 came from? RFC4409 > > > seems to just be about doing authentication to allow submission > > > (e.g. submission protocol, smtp with authentication added). We > > > definitely need to have a port running with "always on" SSL/TLS > > > so certain access rules can be enforced at firewalls (that I > > > seriously doubt can be easily made to verify that STARTTLS gets > > > used). In theory, this would be the same as if I used stunnel > > > listening on (probably) 587 and reconnecting back to [::1]:25 > > > (aside from losing the ability to do any connection peer IP > > > address checks). > > > > > > > > > Well, you can put SSL/TLS on any port really. Submission being 587, > > pop3s being 995, smtps being 465.. which ports are you wanting > > SSL/TLS on? > > > > I want it on a non-conflicting port, or at least one I know I won't > ever use (which is pretty much the null set). > > According to *ftp://ftp.iana.org/assignments/port-numbers* port 465 is > assigned to something else: > > # Theodore Ts'o <tytso*MIT.EDU> > urd 465/tcp URL Rendesvous Directory for SSM > igmpv3lite 465/udp IGMP over UDP for SSM > > So that leaves me with: > > # Jon Postel <postel*isi.edu> > 24/tcp any private mail system > 24/udp any private mail system > # Rick Adams <rick*UUNET.UU.NET> > smtp 25/tcp Simple Mail Transfer > smtp 25/udp Simple Mail Transfer > > and: > > submission 587/tcp Submission > submission 587/udp Submission > > It does look like these: > > # Vera Heinau <heinau*fu-berlin.de> > # Heiko Schlichting <heiko*fu-berlin.de> > telnets 992/tcp telnet protocol over TLS/SSL > telnets 992/udp telnet protocol over TLS/SSL > imaps 993/tcp imap4 protocol over TLS/SSL > imaps 993/udp imap4 protocol over TLS/SSL > ircs 994/tcp irc protocol over TLS/SSL > ircs 994/udp irc protocol over TLS/SSL > # Christopher Allen > <ChristopherA*consensus.com> pop3s 995/tcp pop3 protocol > over TLS/SSL (was spop3) pop3s 995/udp pop3 protocol > over TLS/SSL (was spop3) > > and a few others are clearly over TLS/SSL (and not just STARTTLS as an > option). Since port 25 must stay clear for acceptance of (insecure) > mail exchange, at least it could use STARTTLS (why not?). So I > wasn't expecting that submission (starting in the clear) would need a > separate port (e.g. its current standard of 587 ... and apparently > not over TLS/SSL). > > There seems to not be enough ports, if submission and/or STARTTLS are > more than just mere extensions to SMTP. > > I guess I can use port 24? 465 is for SMTP over SSL, which is deprecated. -- John
