Hello Mr. Ramasubramanian, When I originally drafted the SMTPS proposal, I thought those plaint text part before the STARTTLS command leaks some sensitive info. e.g. 220 mail.ashleymadison.com AshleyMadison ESMTP Service Ready Those text will always be transferred in plain text. So I thought Implicit TLS would prevent leaking that info. But guys in the IETF mailing list actually showed me a way to get that info. You just get the IP address from 3 way handshake and do reverse lookup / Connect to port 26 to fill the rest of the info. So a new port doesn't offer much security. And I totally I agree with them on that from my understanding of it. But I still want the future of email to adopt Implicit TLS. So someday we can kill Opportunistic TLS. I already lost the case for security. So my smtps part of the proposal not gonna fly. I'm just here to learn whether Implicit TLS can offer anything better than Opportunistic TLS that's worth wasting a port. Thanks On Sat, Jan 12, 2019 at 9:28 AM Suresh Ramasubramanian <ops.lists@gmail.com> wrote:
Most new MTA implementations over the past several years default to TLS with strong ciphers. So how much of a problem is low or no TLS right now?
How much more of a problem will it be over the next year or two as older hardware is retired and new servers + software deployed, or as is more likely, people move their mail to cloud services that already do support strong ciphers for TLS?
How worth solving is rhe problem - what is the return for all this effort?
--srs
------------------------------ *From:* NANOG <nanog-bounces+ops.lists=gmail.com@nanog.org> on behalf of Viruthagiri Thirumavalavan <giri@dombox.org> *Sent:* Saturday, January 12, 2019 9:21 AM *To:* nanog@nanog.org *Subject:* Re: SMTP Over TLS on Port 26 - Implicit TLS Proposal [Feedback Request]
If you all think my prefix proposal have some merits, it still paves the way for future smtps proposals. So I have no issues with killing smtps part of my proposal.
As for signalling, I'm not sure whether moving the signalling part to another record type is a good idea.
Because my signalling proposal is flawed without DNSSEC as Brandon Martin pointed out.
So if we move the signalling part to another record type, then we may have to deal with multiple record set signatures. Also there is one more configuration for the end user. But i'm open for suggestions.
To the person who trolled me. I'm here to have some intellectual conversation. So please stop trolling me. You are an engineer. So don't behave like a teen in youtube comments section. I'm proposing these stuffs, so the world can benefit something. By trolling me, you are just killing that.
To everyone else, please go easy on me. If I'm little off on something, please forgive my ignorance. The reason I'm here is because you all know these stuffs better than me. I'm here to get some feedback.
If you all think opening a new port is waste of time, I'm ok with that. But if you see some benefits on Implicit TLS over Opportunistic TLS, please point that out too.
Thank you for your time.
-- Best Regards, Viruthagiri Thirumavalavan Dombox, Inc.