On Fri, 11 Jan 2019 at 20:01, William Herrin <bill@herrin.us> wrote:
On Fri, Jan 11, 2019 at 5:52 PM Viruthagiri Thirumavalavan <giri@dombox.org> wrote:
In addition, it bypasses all the security folks have built around the idea of blocking port 25 traffic from sources which should not be operating as mail servers. Let's not make the network less secure in the name of making it more so.
I already addressed this issue in the "security considerations" section.
"Port 26 will be a secure alternative for Port 25. So Internet Service Providers are adviced to take precautions to prevent email spam abuse. They are advised to block port 26, if necessary."
While we're at it, let's deprecate IPv4 now that IPv6 is fully deployed.
100% agree. If mx1.example.com is prefixed like ip6-smtps-mx1.example.com, then mail should only be deliverable to the domain if all of ports 25, 26 and 27 support TLS with <blink>valid SSL</blink> certificates over <blink><blink><big><big><big>IPv6</big></big></big></blink></blink>. Why? Because I think there's too much confusion between the same ports working on both IPv4 and IPv6, and with Happy-Eyeballs, no certainty which protocol would be used; resulting in downgrade-to-IPv4 attacks in certain situations. For this reason, we should use port 27 in order to guarantee that the connection will happen iff (if-and-only-if) it can be established over IPv6, so that there's no confusion. We can then use port 26 to send out reports of mail being undeliverable over IPv6 with TLS, and port 25 to send out bounces of bounces, which still has to support opportunistic StartTLS, in case we still get TLS errors on port 26 trying to deliver the bounces over IPv4 over TLS. Does this cover every possible scenario, or does anyone think we gotta use a few more ports? Hopefully, this'll teach folks like CogentCo to get their IPv6 peering act together; especially if we get Google with Gmail and G Suite on board, and Cogent will suddenly stop getting their mails from pretty much all of their customers due to all the peering disputes with pretty much the rest of the IPv6 internet. I posted my proposal to the IPv6 zealots Slack channel. I got very good feedback there. Many support my proposal. Some are against it. C.