On Fri, May 21, 2010 at 18:03, mouss <mo...@ml.netoyen.net> wrote: > if you mean "wrapper mode ssl" (aka smtps), then > $ grep smtps /etc/services > ssmtp 465/tcp smtps # SMTP over SSL > > this is non standard. but it's used by outlook and by other "people". > > in the old days, people kept adding new ports for SSL (http -> https, > ftp -> ftps, foo -> foos). while this was "simple", it creates its own > set of problems. so that approach was replaced by providing security > "inside" the protocol, instead of relying on an additional and > independent layer. so the standard for smtp is to use the STARTTLS > command. only use the old "smtps" as a compatibility mode (that you > discourage as much as you can).
Is it the case that 465 once was assigned as smtps and later retracted and re-assigned differently? Or was it never official at all and the /etc/services file you have isn't just an old one, but an unofficial one? I get mine from IANA and 465 is assigned differently. There are "wrapper mode ssl" ports for a few other services. Probably most known is https (443). Others include nntps (563), ldaps (636), telnets (992), pop3s (995). And imap seems to have 2 variants ... imaps (993) and an apparently older depricated imap4-ssl (585) (this is in the IANA copy). So are these protocols somehow different in that they need a wrapper mode, even though, in theory, some form of STARTTLS could work on at least some of them? Personally, I think what should have been done was to create a whole new transport protocol in peer with TCP, call it something that merges TCP with TLS, assign it a new protocol number (like TCP has protocol 6 and SCTP has protocol 132), and define it to function like TCP for IP, but everything that uses it is "wrapper mode" TLS. Of course, that would have required a lot of development at the system level to get going, whereas wrapper mode as it is done now is just an add-on in user space.
