Re: SMTP Over TLS on Port 26 - Implicit TLS Proposal [Feedback Request]

[Viruthagiri Thirumavalavan <giri () dombox org>]

Hello Mr. Ramasubramanian,

When I originally drafted the SMTPS proposal, I thought those plaint text
part before the STARTTLS command leaks some sensitive info.

e.g. 220 mail.ashleymadison.com AshleyMadison ESMTP Service Ready

Those text will always be transferred in plain text. So I thought Implicit
TLS would prevent leaking that info.

But guys in the IETF mailing list actually showed me a way to get that
info. You just get the IP address from 3 way handshake and do reverse
lookup / Connect to port 26 to fill the rest of the info. So a new port
doesn't offer much security. And I totally I agree with them on that from
my understanding of it.

But I still want the future of email to adopt Implicit TLS. So someday we
can kill Opportunistic TLS. I already lost the case for security. So my
smtps part of the proposal not gonna fly. I'm just here to learn whether
Implicit TLS can offer anything better than Opportunistic TLS that's worth
wasting a port.

Thanks

On Sat, Jan 12, 2019 at 9:28 AM Suresh Ramasubramanian <ops.lists () gmail com>
wrote:

> Most new MTA implementations over the past several years default to TLS
> with strong ciphers.  So how much of a problem is low or no TLS right now?
>
> How much more of a problem will it be over the next year or two as older
> hardware is retired and new servers + software deployed, or as is more
> likely, people move their mail to cloud services that already do support
> strong ciphers for TLS?
>
> How worth solving is rhe problem - what is the return for all this effort?
>
> --srs
>
> ------------------------------
> *From:* NANOG <nanog-bounces+ops.lists=gmail.com () nanog org> on behalf of
> Viruthagiri Thirumavalavan <giri () dombox org>
> *Sent:* Saturday, January 12, 2019 9:21 AM
> *To:* nanog () nanog org
> *Subject:* Re: SMTP Over TLS on Port 26 - Implicit TLS Proposal [Feedback
> Request]
>
> If you all think my prefix proposal have some merits, it still paves the
> way for future smtps proposals. So I have no issues with killing smtps part
> of my proposal.
>
> As for signalling, I'm not sure whether moving the signalling part to
> another record type is a good idea.
>
> Because my signalling proposal is flawed without DNSSEC as Brandon Martin
> pointed out.
>
> So if we move the signalling part to another record type, then we may have
> to deal with multiple record set signatures. Also there is one more
> configuration for the end user. But i'm open for suggestions.
>
> To the person who trolled me. I'm here to have some intellectual
> conversation. So please stop trolling me. You are an engineer. So don't
> behave like a teen in youtube comments section.  I'm proposing these
> stuffs, so the world can benefit something. By trolling me, you are just
> killing that.
>
> To everyone else, please go easy on me. If I'm little off on something,
> please forgive my ignorance. The reason I'm here is because you all know
> these stuffs better than me. I'm here to get some feedback.
>
> If you all think opening a new port is waste of time, I'm ok with that.
> But if you see some benefits on Implicit TLS over Opportunistic TLS, please
> point that out too.
>
> Thank you for your time.


-- 
Best Regards,

Viruthagiri Thirumavalavan
Dombox, Inc.