Andrew Ayer

Andrew Ayer on 2014-11-19 at 16:55:

So does this mean that unless I use port 25 with STARTTLS there is never going to be opportunistic encryption between SMTP servers if I continue using 465 ? I mean, even tought my mail will be encrypted between my client and server, the continuing server-to-server delivery is not going to be encrypted if not using port 25?

Generally mail servers don't accept mail from other MTAs over port 465, just mail from authenticated MUAs, so if you try to use it for server-to-server delivery your mail might be encrypted but it won't go anywhere. I doubt this will change, especially since port 465 is unofficial and has actually been reassigned by IANA.

That makes port 25 the only viable option for server-to-server delivery. Some mail servers don't support STARTTLS on port 25 at all, in which case your mail to them will be unencrypted. Others servers support STARTTLS, but if your ISP or another active attacker MitMs the connection, your mail to that server will be compromised. This is regardless of what port your MUA uses to submit mail.

The status quo is that there is approximately zero authenticated encryption of server-to-server email delivery because of backwards compatibility with mail servers that don't support any encryption, as well as a lack of a standard for how certificates names for SMTP servers should work. Possible solutions are DNSSEC+DANE (which Postfix already supports) and/or the EFF's STARTTLS Everywhere project: https://github.com/EFForg/starttls-everywhere

Reply