On 22 Apr 2010, at 00:07, Franck Martin <franck@genius.com> wrote:
Consider also smtps port which should be treated like smtp port and not like submission port, or simply do not listen on smtps as TLS is available on smtp port via esmtp.
Er, no. TLS-on-connect aka smtps (as opposed to STARTTLS) is only used to support Microsoft MUAs that are more than a couple of years old. They only supported STARTTLS on port 25 and insisted on using the deprecated TLS-on-connect mode on all other ports. This meant they could not support standard Message Submission on port 587. Therefore you should treat smtps (TLS-on-connect on port 465) as the special Microsoft version of RFC 4409 message submission. That is, treat the protocols exactly the same wrt authentication, authorization, firewalls, address validation, etc. Tony. -- f.anthony.n.finch <dot@dotat.at> http://dotat.at/
On 22.04.2010 13:07, Tony Finch wrote:
Er, no. TLS-on-connect aka smtps (as opposed to STARTTLS) is only used to support Microsoft MUAs that are more than a couple of years old. They only supported STARTTLS on port 25 and insisted on using the deprecated TLS-on-connect mode on all other ports. This meant they could not support standard Message Submission on port 587. Therefore you should treat smtps (TLS-on-connect on port 465) as the special Microsoft version of RFC 4409 message submission. That is, treat the protocols exactly the same wrt authentication, authorization, firewalls, address validation, etc.
i recently had the problem that an lotus notes server insisted on sending emails to one of our clients via port 465. so having mandatory authentication there actually broke delivery for an exchange sender.
X-Mailer: Lotus Notes Release 6.5.4 March 27, 2005 X-MIMETrack: Serialize by Router on smtp2/xxxxx(Release 6.5.4|March 27, 2005) .....
cheers, raoul
Raoul Bhatia [IPAX] wrote:
i recently had the problem that an lotus notes server insisted on sending emails to one of our clients via port 465. so having mandatory authentication there actually broke delivery for an exchange sender.
Leave it "broken" for the other end that is. Only way to force them to fix it. The only acceptable, and standard, way to submit email these days is using port 587 with TLS. And if you have users with broken clients, they can use webmail behind https. I am against facilitating (and thus perpetuating the existence of) old broken clients by making available port 465. Regards, Jeroen -- http://goldmark.org/jeff/stupid-disclaimers/
Happily Microsoft have fixed their smtps stupidity, so you only need to support it on the server if you need to support users running old versions of Outlook etc. There was never anything particularly wrong with smtps, apart from a dogma in the IETF that it is architecturally wrong. The consensus now is that it was wrong to rescind the port allocation, because that completely failed to stop people (er, Microsoft) from deploying smtps, and just led to interop problems. Tony (on his iPod). -- f.anthony.n.finch <dot@dotat.at> http://dotat.at/ On 28 Apr 2010, at 01:55, Jeroen van Aart <jeroen@mompl.net> wrote:
Raoul Bhatia [IPAX] wrote:
i recently had the problem that an lotus notes server insisted on sending emails to one of our clients via port 465. so having mandatory authentication there actually broke delivery for an exchange sender.
Leave it "broken" for the other end that is. Only way to force them to fix it.
The only acceptable, and standard, way to submit email these days is using port 587 with TLS. And if you have users with broken clients, they can use webmail behind https. I am against facilitating (and thus perpetuating the existence of) old broken clients by making available port 465.
Regards, Jeroen
participants (3)
-
Jeroen van Aart -
Raoul Bhatia [IPAX] -
Tony Finch