[69554] in North American Network Operators' Group
Re: Lazy network operators
daemon@ATHENA.MIT.EDU (Joe Abley)
Wed Apr 14 10:16:37 2004
In-Reply-To: <c5irk3$pmq$1@news.cistron.nl>
Cc: nanog@merit.edu
From: Joe Abley <jabley@isc.org>
Date: Wed, 14 Apr 2004 10:07:30 -0400
To: "Miquel van Smoorenburg" <miquels@cistron.nl>
Errors-To: owner-nanog-outgoing@merit.edu
On 14 Apr 2004, at 04:09, Miquel van Smoorenburg wrote:
> That was solved 6 years ago. You let them use port 587 instead of 25.
> http://www.faqs.org/rfcs/rfc2476.html
There's a slight wrinkle with that for people who want to submit mail
over SSL.
Several graphical, consumer-grade mail clients let you select a port
for "outgoing mail (SMTP)" and also have a checkbox for "use a secure
connection (SSL)".
If (port == 25 && use_ssl) the client will EHLO to 25/tcp, and will
attempt to use STARTTLS in order to encrypt the session.
If (port != 25 && use_ssl) the client will assume an SSL-wrapped SMTP
server on the other end, and will not use STARTTLS.
If (port != 25 && !use_ssl) the client will assume a non-SSL-wrapped
SMTP server, and will not use STARTTLS.
This provides an operational/support issue for people running mail
servers who want to support both SSL and also non-encrypted mail
submission for their clients. It's an implementation problem in mail
clients, not a protocol issue, but since it sounds like it might make
the helpdesk phone ring, I thought I'd mention it.
Joe
