> On Nov 1, 2018, at 3:48 PM, Alice Wonder <al...@domblogger.net> wrote:
>
> Maybe better, I do not know. I do not know right place to recommend this, I
> hope it is not too out of place here.
>
> Opportunistic TLS is a concept I do not like. DANE fixes the issues for
> system admins willing to implement DNSSEC and add a TLSA record but it seems
> many are not, so MTA-STS was invented.
Opportunistic TLS is highly effective at reducing opportunities for
passive monitoring. It is good to do better when possible, and both
DANE and (less effectively) MTA-STS tackle active attacks, but do not
knock opportunistic TLS, it has achieved considerable privacy gains.
> A better solution is to bring back Port 465 and SMTPS.
Port 465 is back, but for SUBMIT, not for MTA-to-MTA SMTP, and
that's not going to change. Sorry.
If we could reliably know which MTAs support your proposal and
which domains have which MTAs, we would not need DANE or MTA-STS.
Just conjuring up another port does nothing to address the fundamental
issues. There's not going to be an SMTP flag day when everyone switches
to mandatory TLS at the same time. Nor will MX records magically become
resistant to MiTM in the absence of DNSSEC.
My advice is to accept the current state as a transitional phase to
to potentially more secure email in a decade or so from now.
--
Viktor.
