Re: [courier-users] Ports, SSL and STARTTLS for ESMTP

Sat, 07 Feb 2015 05:44:10 -0800 

> Technically speaking, using port 465 for (authenticated) SMTP over SSL/TLS 
> has been deprecated for a long, long time.
> 
> Microsoft was long a lone holdout against standards, but recently, Apple and 
> Google have joined them, and if you're running a mail service for some 
> 4-digit number of users or more, you'll likely either have to endure loads of 
> support calls debugging why port 25 and 587 doesn't work with STARTTLS in 
> some instances, or you'll cave in and enable TLS over port 465.
> 
> So, in practice, Apple and Google un-deprecated this use of port 465.


465 has the benefit that the STARTTLS keyword can’t be MITM stripped.

On one of my recent GoGo InAir flights, I checked a connection to one of my 
SMTP servers and to google’s servers on port 25. GoGo MITMs them, removing the 
STARTTLS verb. They don’t currently do this on port 587, but I don’t think all 
clients would notice if they started.

SSLSTRIP looks like this:

> telnet smtp.gmail.com <http://smtp.gmail.com/> 25
> Trying 74.125.193.108…
> Connected to gmail-smtp-mds.l.google.com 
> <http://gmail-smtp-mds.l.google.com/>.
> Escape character is ‘^]’.
> 220 ************************************************
> EHLO [172.19.131.170]
> 250-mx.google.com <http://250-mx.google.com/> at your service, 
> [12.130.117.100]
> 250-SIZE 35882577
> 260-8BITMIME
> 250-XXXXXXXA
> 250-ENHANCEDSTATUSCODES
> 250-PIPELINING
> 250-XXXXXXXB
> 250-XXXXXXXC

The “ XXXXXXXA” line should have been “STARTTLS” but the client never sees 
that, so merely proceeds in plaintext.

Connections to 465 are safe from this type of attack.

-Jeff



------------------------------------------------------------------------------
Dive into the World of Parallel Programming. The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net/
_______________________________________________
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

Reply via email to