From: Bill Cole (postfixlists-070913billmail.scconsult.com)
Date: Wed Oct 17 2007 - 09:38:46 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

At 10:56 AM +0200 10/17/07, Martin Schmitt (Schmitt Systems) wrote:
>Hi all!
>
>Well, well, well. I gave a client's contractor my client's policy
>(ghost-written by me, who else?) on TLS communication, including the
>following words:
>
>"Sending and receiving with SMTPS on Port 465 is not supported."
>
>After only half a year, the contractor finally comes around and happily
>reports that he has now implemented SMTPS.
>
>Brilliant.
>
>This may turn into a neat little dispute on why $CLIENT doesn't do
>SMTPS. Which is totally cool. I only have one white spot in my arguments
>that maybe someone of you can help me out with. It's about the delisting
>of Port 465 by IANA, which, at least from my point of view, constitutes
>the final termination of SMTPS as any kind of official "standard".
>
>My most recent machine (CentOS 5) still has the smtps listing in
>/etc/services while archive.org shows the transition from "unlisted" to
>"urd" in 2001:
>
>http://web.archive.org/web/*/http://www.iana.org/assignments/port-numbers
>
>So, when was it delisted?

Late 1998.

However, the legitimate life of SMTPS over port 465 was really more
like 8 months in 1996-1997. Netscape included it in the last SSL3
draft as 'pending assignment' but within the first month of the life
of the TLS-APPS list in mid-1997 it was proposed with no objection
(and some assent) that the STARTTLS RFC include the revocation of the
port. RFC2287's drafts had that language up until the last one, which
removed it because Paul Hoffman (lead author) had mooted the issue by
asking and getting IANA to revoke the port.

This is all rather easily found with Google...

>Is there some sort of IANA bulletin archived
>somewhere that I can refer to?

No, but if you need a solid reference to nail down the date, look here;

http://www.imc.org/ietf-apps-tls/mail-archive/msg00204.html

Otherwise, you might want to just keep watch on the port-numbers page
if you really care. Pulling it weekly shouldn't be too great a burden.

> And what may be the reason why I can't
>come up with a single UNIX box that doesn't list smtps in /etc/services
>even six years after port 465 has been reassigned?

FWIW, I don't see smtps on my MacOS or Solaris boxes except for the
one where I briefly had 465 set up in postfix for a very specific
need. That's a hint as to why many people have it listed in
operational configurations: operational need. You will note that many
mail systems also have port 106 entries for the 'poppasswd' protocol,
a horrendously insecure thing invented and deployed first almost 2
decades ago in the first mass-audience GUI MUA, Eudora. That one was
always wrong and bad, but it has survived.

In your situation it is a hard call how to handle the bad wrongness.
You seem prepped for a fight, which I admire, but that's a rare
situation. Having an up-front spec that said 'do not do this' ought
to be enough without reference to external authorities, but I guess
having the references isn't bad.

--
Bill Cole
billscconsult.com

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]