On 02/14/2017 02:00 PM, Ruslan N. Marchenko wrote: > It has nothing to do with port reuse, rather service binding. When I'm > thinking how many ports I need to open on firewall to allow simple mail > exchange - it just makes me feel sad an sorry for all the people who > developed those standards.
Really? How many ports do you have to open? I have port 25 for SMTP delivery because that's a must, but then I simply have sslh listen on port 443 and it sends http traffic to nginx based on sni or alpn and by default, xmpp traffic to prosody based on alpn, imap traffic to dovecot based on sni, smtp submission to postfix based on sni, vpn to ocserv based on sni, irc to znc based on sni, and probably a few I don't remember that right now. So that's 2 ports, 99% of them TLS over 443 multiplexed with ALPN or SNI. > Also one security drawback here - now to DoS by encryption abuse vector > you need to negotiate stream before doing starttls - meaning you need to > have handcrafted tool just for this protocol. With TLS on socket you can > use anything which is able to open secure socket (probably related to > the quote above?). I'm pretty sure nginx and haproxy handle TLS and any type of TLS DoS far better than any current XMPP server, sorry, that's just a much larger segment of the web. Don't get me wrong, I'd love it if all ports were open all the time and such, but that's not the world we live in, and I can do nothing to change 99% of it. The fact is TLS over 443 is most likely to get through, and I don't see any downsides to sending XMPP over it. In fact you already can now with BOSH or Websockets, but this is more lightweight for non-web clients. _______________________________________________ Standards mailing list Info: https://mail.jabber.org/mailman/listinfo/standards Unsubscribe: [email protected] _______________________________________________
