[MlMt] 143 or 993 . . . and security
Bill Cole
mmlist-20120120 at billmail.scconsult.com
Thu Jan 23 11:21:13 EST 2020
WARNING: CIVIL DISAGREEMENT AHEAD!
TL;DR version: Read RFC8314 at https://tools.ietf.org/html/rfc8314
On 23 Jan 2020, at 5:18, Benny Kjær Nielsen wrote:
> On 23 Jan 2020, at 10:35, Marc ARC wrote:
>
>> At first we thought we’ll use port 993 since this is secure. But
>> then we realised that port 143 can also be secure with StartTLS.
>> Or is 993 better since it secures before communicating and is it
>> future proof ?
>
> Port 993 mainly exists for historical reasons.
I understand that point of view, and might have totally agreed a decade
ago, but I think it has been overtaken by events, experience, and
RFC8314.
Port 993 (and 995 for POP3: everything I say in this message about
143/993 for IMAP4 also applies to 110/995 for POP3 if you support it.)
were nearly the last cases of SSL/TLS 'wrapper' ports established in
IETF standards, and they generated concern about the proliferation of
such port reservations exhausting the supply of ports traditionally
reserved for binding by "root" processes and deemed more trustworthy. In
the same "SSL 3" draft specification which proposed those ports, port
465 for SMTP was proposed but by the time that became the TLS 1.0
specification, 465 was dropped as unjustifiable. HOWEVER, 465 as
TLS-wrapped mail submission (NOT transport) has more recently been
revived as a best practice: see below.
The reason that 993 remained is that unlike SMTP transport, which
largely occurs between servers with no relationship more enduring than a
single message handoff and without live human interaction, IMAP has a
clear fixed client/server model with a presumption that the client
software is being tended by a human customer of the server operator.
Both sides of IMAP maintain confidential persistent state about their
partner by necessity, so it is reasonable for a client to require an
explicit port and session encryption configuration for each of the small
number of servers it needs to communicate with.
> Personally, I would keep both ports open and make sure that the use of
> STARTTLS is required for port 143. If you close one of these ports
> then it'll likely affect users at some point when configuring an email
> client which either defaults to 143 or 993 (or it might even not
> support both).
This is reasonable advice for server operators who have a diverse set of
legacy customers who use whatever client software they personally
prefer. For more controlled environments (e.g. workplace mail systems)
it is reasonable to abandon port 143 and STARTTLS and only support 993,
because there are marginal security risks with making initial
connections unencrypted and using STARTTLS. Whether to close port 143
when you've been supporting it for existing users is a question that can
only be answered by understanding your users and your support capacity.
FWIW, there are no IMAP clients that support STARTTLS over port 143 but
don't support TLS wrapper mode on port 993. However, If you have allowed
a broad range of encryption & authentication options in the past,
existing client configs may need radical change to work with a 993-only
server.
>> And with SMTP we are confronted with a choice 25 or 465 or 587 ? We
>> prefer 587 since it requires AUTH . . . but what about the security
>
> Port 587 is the standard for email submission (email client sending an
> email) and is equivalent to 143 for IMAP (it uses STARTTLS). Port 465
> is a mess (Microsoft), but some email clients might still expect it to
> work (Microsoft).
The best practices for initial mail submission have changed. Port 465
has been a mess but the way in which it remained a mess for 2 decades
made RFC8314 a reasonable solution for making submission more
> Port 465 is kind of equivalent to port 993, but in practice I've seen
> servers using port 465 with STARTTLS making it behave like port 587.
Yeah... That's bad and wrong to the point where nothing should
accommodate a server doing it. Clients detecting that behavior should
fail and alert with a message mocking the dubious competence and lineage
of the server admins involved. (Your mother was a hamster, and your
father smelt of elderberries!)
> You'll also need port 25 because this is the standard port used when
> SMTP servers talk to eachother.
Correct.
Port 25 is for SMTP *transport* not *submission*. Any mail server
handling outbound transport might need to connect to any other mail
server handling inbound transport anywhere on the Internet. SMTP has to
start in cleartext because it always has and because it is hard to make
sure that random SMTP servers on the Internet can always negotiate
encryption that works. Similarly, while it is wise to prefer strong
encryption protocols and ciphers for SMTP/STARTTLS, it is actually
counter-productive to disallow all weaker encryption modes because SMTP
servers will ultimately fall back to clear text transport if they can't
make any encryption work. In simple terms: any encryption that can't be
easily decrypted in real time by anyone who can capture it is safer than
cleartext.
A common historical error has been to offer SMTP AUTH on port 25 to
support submission. In the modern world this should never be needed and
supporting submission and transport on the same channel make securing
each function more error-prone.
> In a perfect world, only ports 25, 143 and 587 would exist.
I dissent!
In a perfect world, we'd have 25 (SMTP with lenient STARTTLS and no
AUTH,) 465 (SMTP-like submission wrapped in TLS with mandatory AUTH,)
and 993 (IMAP4 wrapped in TLS with mandatory AUTH.)
In the real world, the only things preventing that are widespread legacy
configurations of capable clients and servers, a tiny population of
legacy clients that can't do any encryption and/or any authentication,
and a surprisingly large population of horrible firewalls (primarily
Cisco PIX & ASA) which sit in front of clients or servers and break
every extension to email since ~1990.
>> We have been googling but can’t seem to find the mail between the
>> ports
I'm unclear on the meaning of this sentence...
> You'll probably get other opinions, but the important part is to
> ensure that it's not possible to communicate on any port without
> encryption enabled (with or without STARTTLS).
As stated, that is infeasible. See above my discussion of SMTP on port
25. Obsolete mail servers and stupid firewalls will always be with us.
Fully disabling cleartext as the last resort on port 25 will cause the
loss of email until everyone gets working mail systems deployed in this
century...
Demanding TLS (i.e. ports 465 and 993) is ideal. Requiring it via
STARTTLS (ports 143 and 587) if you can't force the use of wrapped ports
is essential.
> Security-wise, it is more important that you look into which TLS
> protocols you allow on the server, but I'm not qualified to make any
> recommendations on that:
> https://en.wikipedia.org/wiki/Transport_Layer_Security
That's ONLY important for submission and IMAP4. For SMTP, it is safe and
reasonable to disallow SSLv2 and SSLv3 but there are still sending
machines out there which can't do anything better than TLSv1.0, which is
still better than cleartext. Worse yet, many of those will attempt
STARTTLS on servers that support it, but if they can't negotiate TLSv1.0
they simply fail and never even try cleartext.
--
Bill Cole
bill at scconsult.com or billcole at apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not For Hire (currently)
More information about the mailmate
mailing list