Phil,

Please respond here and not from your regular account.. I neglected to
hit reply to list!

Well, you can put SSL/TLS on any port really. Submission being 587,
pop3s being 995, smtps being 465.. which ports are you wanting SSL/TLS on?

-Matt

I want it on a non-conflicting port, or at least one I know I won't ever use
(which is pretty much the null set).

According to *ftp://ftp.iana.org/assignments/port-numbers* port 465 is
assigned to something else:

# Theodore Ts'o <tytso*MIT.EDU>
urd 465/tcp URL Rendesvous Directory for SSM
igmpv3lite 465/udp IGMP over UDP for SSM

So that leaves me with:

# Jon Postel <postel*isi.edu>
24/tcp any private mail system
24/udp any private mail system
# Rick Adams <rick*UUNET.UU.NET>
smtp 25/tcp Simple Mail Transfer
smtp 25/udp Simple Mail Transfer

and:

submission 587/tcp Submission
submission 587/udp Submission

It does look like these:

# Vera Heinau <heinau*fu-berlin.de>
# Heiko Schlichting <heiko*fu-berlin.de>
telnets 992/tcp telnet protocol over TLS/SSL
telnets 992/udp telnet protocol over TLS/SSL
imaps 993/tcp imap4 protocol over TLS/SSL
imaps 993/udp imap4 protocol over TLS/SSL
ircs 994/tcp irc protocol over TLS/SSL
ircs 994/udp irc protocol over TLS/SSL
# Christopher Allen <ChristopherA*consensus.com>
pop3s 995/tcp pop3 protocol over TLS/SSL (was spop3)
pop3s 995/udp pop3 protocol over TLS/SSL (was spop3)

and a few others are clearly over TLS/SSL (and not just STARTTLS as an
option). Since port 25 must stay clear for acceptance of (insecure) mail
exchange, at least it could use STARTTLS (why not?). So I wasn't expecting
that submission (starting in the clear) would need a separate port (e.g. its
current standard of 587 ... and apparently not over TLS/SSL).

There seems to not be enough ports, if submission and/or STARTTLS are more
than just mere extensions to SMTP.

I guess I can use port 24?

On Fri, 21 May 2010 15:26:33 -0400
465 is for SMTP over SSL, which is deprecated.

What is deprecated? Using port 465? Or doing SMTP over SSL?
Unfortunately, I need to do the latter because of some network security and
access issues (and for like reason am doing IMAP over SSL on port 993 and
POP over SSL on port 995).

I could go ahead and do SMTP over SSL on port 465. Are you sure it won't
conflict with anything?

I'm doing optional STARTTLS (e.g. smtpd_tls_security_level=may and
smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination)
on port 25.

What should I be doing on port 587?

On Fri, 21 May 2010 15:35:55 -0400
SMTP over SSL
Just use port 465 if you want, but the submission port would make more
sense (587)
Why not use "smtpd_tls_security_level = encrypt" on port 587?

http://www.postfix.org/TLS_README.html

There's an example submission (port 587) service in recent master.cf
files:

#submission inet n - n - - smtpd
# -o smtpd_tls_security_level=encrypt
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_client_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING

This example should also have

-o smtpd_sasl_tls_security_options=noanonymous

to allow plain-text passwords over TLS.

Wietse

The remote site involved is tunneling these connections through something
like SSL, as far as I can tell. It works fine on port 993 for IMAP.

Why is SMTP over SSL depricated while others over SSL are not? Seems
inconsistent. OTOH, almost everything over TCP could have a use for an SSL
variant. But with no consistent way to do STARTTLS on all protocols, there
would be no clear way to engage it short of a designated port ... or
creating a new transport (e.g. something that could have been called TCPTLS
or such).

OK, I can do SMTP over TLS/SSL on port 465 (with a slight and unlikely risk
of usage collision). So what is port 587 for?

? This question has been answered at least 3 or 4 times in this very thread.

port 465 is for SMTP+SSL
this is DEPRECATED and has been for a long time

port 587 is for SMTP+STARTTLS
this is the designated SMTP SUBMISSION port

The submission port should always be used instead of port 465 unless you
must support older clients like Outlook Express and older versions of
Outlook that will only do SMTP+SSL over port 465.

I don't want to use port 465 because it isn't an unassigned port
(though even unassigned has a risk that it could become assigned later
on). But I need to use SMTP over TLS/SSL. It's not due to a client,
but instead, due to networking (tunnelled TCP connections). It seems
my choice is between using 465 or using some unassigned arbitrary
port. Maybe 60025?

You are making a mistake, "465" was once assigned to the deprecated
"smtps" service and remans widely used in that capacity.
Using ports in the "dynamic" range would be a really bad idea. Use
465.

if you mean "wrapper mode ssl" (aka smtps), then
$ grep smtps /etc/services
ssmtp 465/tcp smtps # SMTP over SSL

this is non standard. but it's used by outlook and by other "people".

in the old days, people kept adding new ports for SSL (http -> https,
ftp -> ftps, foo -> foos). while this was "simple", it creates its own
set of problems. so that approach was replaced by providing security
"inside" the protocol, instead of relying on an additional and
independent layer. so the standard for smtp is to use the STARTTLS
command. only use the old "smtps" as a compatibility mode (that you
discourage as much as you can).

Is it the case that 465 once was assigned as smtps and later retracted
and re-assigned differently? Or was it never official at all and the
/etc/services file you have isn't just an old one, but an unofficial
one? I get mine from IANA and 465 is assigned differently.

There are "wrapper mode ssl" ports for a few other services. Probably
most known is https (443). Others include nntps (563), ldaps (636),
telnets (992), pop3s (995). And imap seems to have 2 variants ...
imaps (993) and an apparently older depricated imap4-ssl (585) (this
is in the IANA copy). So are these protocols somehow different in
that they need a wrapper mode, even though, in theory, some form of
STARTTLS could work on at least some of them?

Personally, I think what should have been done was to create a whole
new transport protocol in peer with TCP, call it something that merges
TCP with TLS, assign it a new protocol number (like TCP has protocol 6
and SCTP has protocol 132), and define it to function like TCP for IP,
but everything that uses it is "wrapper mode" TLS. Of course, that
would have required a lot of development at the system level to get
going, whereas wrapper mode as it is done now is just an add-on in
user space.

I think that yes, it was once officially assigned as such, but you are
worrying about nothing.

If you need wrapper-mode smtp over SSL, use port 465. Period. I promise
nothing will explode, nor will you be attacked by the green slime... ;)

Good enough reason for me to not use it.
Several. The current project is on Ubuntu 9.10. I may move it to
Slackware 13.1. Nothing odd about these or any others I have used. I
do update and upgrade where practical. I'm finding that with Ubuntu
that's not always so, beyond what they pre-package. But for the
/etc/services file, that's never been a problem to regularly get the
official one from IANA, which I have been doing for a couple decades.
Even with STARTTLS (or STLS, or A STARTTLS, or whatever is used for
some protocol), you still need one IP per hostname identified
certificate, unless you have some means to select the host in advance
that is safe to do (not sure if that is possible).
It is hard for firewall level controls to force encryption, unless it
is known that a given port always does. So from that perspective,
wrapper mode TLS/SSL is easier, when using standard ports for that.
You (in the role of firewall admin) can, for example, allow port 443
and disallow port 80 to ensure everyone is using encryption. In the
case of ports using STARTTLS or the like, you need to do sniff into
the TCP stream layer and see if STARTTLS is really being done (or be
the server admin and force it there).

This is the de-facto standard port for the service. Shoot yourself in
the foot if you wish, but for the record anyone implementing SMTP over
SSL (rather STARTTLS over SMTP) should use port 465 for that service.

Not to mention the fact that, IIRC, old versions of Outlook (and
possibly Outlook Express) that support SMTP over SSL *hardcode* port 465
- or at least bury any option to change it somewhere most people will
never find it. If you must support those clients, you must use that port.

-kgd

At this point I'm just not going to support SMTP wrapped/tunneled over
SSL/TLS ... on any port. But just in case something comes up where I
have to support it, I do have the config for it in comments with port
465. They won't get that until after they've heard "show me the RFC"
and "Microsoft doesn't follow real standards" a couple times.

But IMAP and POP are enabled on a wrapped/tunneled SSL/TLS port (993
and 995), since a standard does exist (but I'm not telling anyone but
the other admin about it ... I'm promoting STARTTLS/STLS for
everything).

At Tue, 25 May 2010 16:00:36 -0400, Phil Howard <***@gmail.com> wrote:
Subject: Re: which port to use for SSL/TLS?
This might seem odd to some for me to say, but I really don't understand
why you're trying so vainly to be such a stickler for the so-called
"standards" in this case.

IANA's "port numbers" are more a Best Common Practice than a literal
standard. You're free to provide whatever service you so wish to
provide on any port you please. The published port assignments,
especially those in the 0-1023 range, i.e. the Well Known Ports, are
simply a guideline to help you to inter-operate with "unknown callers".
If your users are all known to you then they will all know which port to
use through prior arrangement. By definition one could conclude that
all users of a service requiring authentication and authorization are in
fact "known callers".

Finally, since running SMTP through SSL was previously defined and
assigned a port number, then supporting legacy applications using this
protocol and port number is well within the boundaries of valid use.

The only really valid reason for _not_ providing SMTP through SSL, (aka
"ssmtp" or "smtps") on port 465 would be if you really had to support
the newly assigned "urd" (URL Rendesvous Directory for SSM) protocol for
_unknown_ callers also on port 465, and also on the exact same IP
address (or perhaps through the same NAT-based firewall if for some
stupid reason you've put your servers behind a NAT on some non-public IP
addresses).
Are you sure your soap-box is the most secure one to promote?

The only real reason why SMTPS was "deprecated" was solely because of
politics. There was never any technical reason to deprecate SMTPS. It
was done as a result of someone having the fool-headed idea to think
that since it is _possible_ to initiate TLS from within the SMTP
transaction, then that should be the _only_ way to do it.

Note that the original RFC 2487 even goes so far to suggest that
STARTTLS is less secure than SMTPS by noting an obvious MitM attack (and
suggesting only a relatively ludicrous work-around). That RFC's author
gave the following contradictory excuse to IANA via e-mail in order to
cause the unilateral deprecation of SMTPS: "The email community has
reached rough concensus that widespread use of such a port will be
harmful to the performance, interoperability and security of SMTP."

Note there are even further MitM weaknesses in the original STARTTLS
protocol as well, all of which are avoided entirely by SMTPS.
Indeed, SMTPS threatens the success of STARTTLS because it is more
secure than using STARTTLS.

So, one must ask one's self if STARTTLS was truly the best option for
SMTP, when why was it not so for every other protocol that could have
been similarly extended from within, including HTTP, IMAP, NNTP, FTP,
TELNET, IRC, and so on? The whole idea of trying to support TLS as an
add-on or extension to an existing protocol and to do so by using an
"optional" in-band request, is entirely antithetical to the ideal of
using TLS to protect the _entire_ encapsulated protocol.

Finally remember that the deprecation of SMTPS was never done officially
or via any published standard. It was done simply by fiat when Paul
Hoffman asked IANA on his own to deprecate SMTPS prior to the final
publication of his STARTTLS RFC 2487. The language suggesting the
deprecation of SMTPS and reassignment of port 465 was then removed from
the STARTTLS draft and there was no opportunity for further discussion
through the RFC process.

Politics.

But it's more than just BCP for me (or you). It's a knowledge of BCP
for others as that might impact me (or you). For example, it means it
is unlikely that a reputable manufacturer will implement or deploy
(MSFT doesn't fit that for me).
That can justify it ... on a "phasing it out" basis.

I did actually turn 465 on to see if it worked. It did. Then I
commented it out. So I have "phased it out".
I disagree. If port 465 becomes regularly used for a non-standard
purpose, people will begin to use it and expect it to be there. If
later on (for example a few years later), the official use for port
465 (urd) needs to be deployed, then a conflict suddenly exists. And
it might not be noticed in the planning phase because it might be
different teams using these things. It may become necessary to
abruptly shut off SMTPS on port 465 because of that (if there's no
easy way to make these different services coexist, which is not a
known certainty ahead of time).
I'm not on a soap box. It has been for a long term practice (for me)
to stick with standards unless I have a compelling need to deviate
(and believe me, I have many times needed to do that). At this time,
there is no specific need for SMTPS that cannot be filled by
{SMTP|Submission}+STARTTLS on 25|587 ... so ... at this time, there is
no compelling need for SMTPS that would have me consider how to "go
beyond" the standards. If it were a standard port, I would have fired
it up just to see if it needed to be used. What I did instead is
configured it as commented out, and will address any complaints
when/if they arrive (none to date ... 2 days into activation).
I'm not disagreeing with this. I think there should be an SMTPS.
Correct me if I am wrong (as I have heard this only 2nd hand), but my
understanding is that the intended use of SMTPS included MX purposes
(albeit wrapped in TLS).
I don't disagree. If you need more people to champion the cause to
bring back SMTPS, let me know.
Perhaps (I'm speculating), the nature of the protocols (including a
_narrow_ view of SMTP) as seen by some suggested that SMTP didn't need
the level of authentication the others did. I don't agree, but just
trying to see how the process might have come to the conclusion it
did. I was never involved in that process, even as an observer (I
wish I had been).
There are a number of unassigned ports still in the range less than
1024. Do you feel it is worth the cause to bring back SMTPS at least
on another port number? I'm curious why it is that port 465 got
assigned to another service rather than one of the still unassigned
ports?

FYI, I do run SSH on various unassigned ports. That's because I don't
want the log floods I'd get if I had SSH facing the wild on port 22
(I've had on a couple days over a million dictionary attempts to root,
all unsuccessful, but occupying 99% of the log file space).
Yes. And I hate it. But I have to live with it and work around it.

Rhetorical question: How would a sending domain know that a particular
receiving domain supports SMTPS?

Clearly SMTPS would not be an alternative to SMTP for MX hosts, rather
it is only alternative to to port 587+STARTTLS for submission servers.

This means that if we want to support (opportunistic) TLS for domain
to domain delivery, we need STARTTLS. And in fact opportunistic TLS
is now widely (though not universally) deployed in this context.

Given that SMTP + STARTTLS is available, there is little need for yet
another protocol for submission. So on the whole SMTPS would not solve
any issues that SMTP + STARTTLS does not handle adequately. Over and
out.

On Fri, May 28, 2010 at 14:24, Victor Duchovni
Try it an see. If it fails to connect or times out, and local policy
and/or message parameters allow this, fall back to SMTP. Specific
detail are probably subject to discussion and maybe standardization.
I don't agree. But it could be argued that SMTP+STARTTLS is
sufficient for MX. I haven't done the analysis to know if the
exposure risks in STARTTLS apply to MX or not.
And this goes back to the arguments for SMTPS. Is there any
definitive analysis that says that STARTTLS has risks for submission
and never can have any for MX?
I guess you need to argue that with Greg. He seems to be more of an
advocate for that than I do (I don't have the time to do the analysis
... though I do have the biased preference to simply move EVERYTHING
on TCP ... and even SCTP ... over to wrapped TLS).

No. This is a really poor idea. You're not supposed to answer rhetorical
questions, you just risk looking a bit silly...
See above.
There is no fundamental need for a second protocol, but Postfix supports
it because legacy clients (that will over the next few years disappear,
since modern Outlook supports STARTTLS) don't support 587 + STARTTLS.
I don't get into arguments with Greg.

On Fri, May 28, 2010 at 14:46, Victor Duchovni
Rhetorical questions that make no sense need to be refuted somehow.
What do you suggest as an alternative to just plain answering them
(for ones that are in the negative)?
And see what Greg posted. Analysis would be going in depth on what
lots of people say, and examining their evidence where available.
Fine. Just understand there is more than one point of view.

? That's what (something like) fail2ban is for...