To be or not be! SSL/TLS versus Starttls - KiXtart.org - official site

You are not logged in. [Log In] KiXtart.org website » Forums » KiXtart » Lounge » To be or not be! SSL/TLS versus Starttls

Page 1 of 1

1

Topic Options

#211282 - 2016-04-08 01:13 PM To be or not be! SSL/TLS versus Starttls
Robdutoit Robdutoit Hey THIS is FUN Registered: 2012-03-27 Posts: 363 Loc: London, England	I have recently setup Mail servers for my clients using Mdaemon Mail Server if anyone is interested. I think the product is very good. However, after much research on the Internet, I actually feel that the advice to use port 587 for sending emails is not good advice. Port 587 defaults to using Starttls which starts off with an insecure transmission and upgrades to a secure transmission. Whereas with port 465, (which we are apparently not supposed to use as it was never standardised) this secures transmission right from the start. I think the confusion comes from the fact that port 587 requires authentication, but port 465 does not require authentication. And in addition to that port 587 means one port that can support devices that support encryption as well as devices that do not support encryption whereas you need a separate port (465) for encryption as opposed to using standard port 25 I think. However, if you configure smtp to require authentication and I presume that port 465 uses the latest encryption protocol supported by the server and client (whether that is SSL or TLS), I still think that this is more secure than using Port 587. This article outlines the case for port 587 http://blog.mailgun.com/25-465-587-what-port-should-i-use/ but the comments and links by Dominic with especially his first link outline the benefits of using port 465 over 587! What do you guys think? Or do you think the difference in security is negligible. Given that so many people still use port 465 I think that industry agrees with my opinion.
Top

#211284 - 2016-04-08 02:56 PM Re: To be or not be! SSL/TLS versus Starttls [Re: Robdutoit]
Lonkero Lonkero KiX Master Guru Registered: 2001-06-05 Posts: 22346 Loc: OK	It's your server. You choose the port. Port can be 6743. What you need to decide is what protection method you force your clients to use. My opinion is, go with SSL + auth required. _________________________ ! download KiXnet
Top

#211289 - 2016-04-10 01:19 PM Re: To be or not be! SSL/TLS versus Starttls [Re: Lonkero]
Robdutoit Robdutoit Hey THIS is FUN Registered: 2012-03-27 Posts: 363 Loc: London, England	Brilliant. I will just keep it as port 465 then!
Top

#211294 - 2016-04-11 12:00 PM Re: To be or not be! SSL/TLS versus Starttls [Re: Robdutoit]
Arend_ Arend_ MM club member Registered: 2005-01-17 Posts: 1896 Loc: Hilversum, The Netherlands	Give this a read: http://blog.mailgun.com/25-465-587-what-port-should-i-use/
Top

#211296 - 2016-04-11 01:48 PM Re: To be or not be! SSL/TLS versus Starttls [Re: Arend_]
Robdutoit Robdutoit Hey THIS is FUN Registered: 2012-03-27 Posts: 363 Loc: London, England	You probably read my post too quickly Arend - that is the article that I pointed to in my post lol. I have read that, but I actually agree with the comments by that guy on that page.
Top

#211297 - 2016-04-11 03:10 PM Re: To be or not be! SSL/TLS versus Starttls [Re: Robdutoit]
Arend_ Arend_ MM club member Registered: 2005-01-17 Posts: 1896 Loc: Hilversum, The Netherlands	Originally Posted By: Robdutoit You probably read my post too quickly Arend - that is the article that I pointed to in my post lol. I have read that, but I actually agree with the comments by that guy on that page. LOL, sorry about that, yes I did read too quickly :-) But seeing as IANA revoked 465 I would personally go with port 587. "465 TCP URL Rendezvous Directory for SSM (Cisco protocol) Official" "465 TCP Simple Mail Transfer Protocol over TLS/SSL (SMTPS) Unofficial" See: https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers
Top

#211300 - 2016-04-12 02:11 PM Re: To be or not be! SSL/TLS versus Starttls [Re: Arend_]
Lonkero Lonkero KiX Master Guru Registered: 2001-06-05 Posts: 22346 Loc: OK	Yea. If you want to be compliant... Using standard ports also means you are advertising your server to crawlers. _________________________ ! download KiXnet
Top

#211301 - 2016-04-12 04:46 PM Re: To be or not be! SSL/TLS versus Starttls [Re: Lonkero]
Arend_ Arend_ MM club member Registered: 2005-01-17 Posts: 1896 Loc: Hilversum, The Netherlands	Originally Posted By: Lonkero Yea. If you want to be compliant... Using standard ports also means you are advertising your server to crawlers. Depends, off course one would have a firewall inspecting the type of traffic on that port.
Top

#211302 - 2016-04-12 06:15 PM Re: To be or not be! SSL/TLS versus Starttls [Re: Arend_]
Lonkero Lonkero KiX Master Guru Registered: 2001-06-05 Posts: 22346 Loc: OK	A) if your port is using SSL, without SSL middleman inspection, firewall will do you no good what so ever B) the port is still open. You are still telling crawlers you have an email server there. Value of this information comes to play when there is a new vulnerability in the server software or the firewall. Just to clarify, this discussion is somewhat theoretical, but I figured still worth having... _________________________ ! download KiXnet
Top

#211303 - 2016-04-12 08:39 PM Re: To be or not be! SSL/TLS versus Starttls [Re: Lonkero]
Arend_ Arend_ MM club member Registered: 2005-01-17 Posts: 1896 Loc: Hilversum, The Netherlands	It is some middleman inspection, yes. Just because some SSL certificate is used doesn't mean the traffic can't be inspected. FortiGate Firewalls amongst other have those type of inspections where the SSL certificate is attached to the Firewall posing as the Handshake authority, so the SSL connection is set up with the firewall, the firewall then inspects the traffic and passes the ok'd traffic through to the mailserver. This is man in the middle, but in this sense there's nothing wrong with it in my opinion. I used the Barracuda Spam Filter in the same way.
Top

#211304 - 2016-04-13 12:13 AM Re: To be or not be! SSL/TLS versus Starttls [Re: Arend_]
Lonkero Lonkero KiX Master Guru Registered: 2001-06-05 Posts: 22346 Loc: OK	Yea. I love me some watchguard. But not everyone has a nextgen firewall. There are big places that still rely on Cisco NAT box called asa _________________________ ! download KiXnet
Top

#211307 - 2016-04-13 03:04 PM Re: To be or not be! SSL/TLS versus Starttls [Re: Arend_]
Glenn Barnas Glenn Barnas KiX Supporter Registered: 2003-01-28 Posts: 4401 Loc: New Jersey	Arend, That's a similar method to what the TMG box I use here at home employs.. I terminate the SSL certs on the TMG, which is public facing. TMG inspects the traffic before passing it to the internal hosts. The web and external SMTP Gateway are in a perimeter network. I have an internal CA infrastructure for encrypting the traffic between TMG and the web, mail gateway, and RD Gateway hosts using private certs. This allows a fairly robust level of security on the network. There's a second (back) firewall between the TMG and the internal networks. Glenn _________________________ Actually I am a Rocket Scientist! $\:D$
Top

#211308 - 2016-04-13 03:10 PM Re: To be or not be! SSL/TLS versus Starttls [Re: Glenn Barnas]
Arend_ Arend_ MM club member Registered: 2005-01-17 Posts: 1896 Loc: Hilversum, The Netherlands	Glenn; that's exactly what I tried to describe, apart from you certifying everything internally as well (which is good). To be honest, I think that's how every company should set it up...
Top

Page 1 of 1

1

Previous Topic

Previous Topic View All Topics

View All Topics

Index Next Topic

Next Topic

Moderator: Arend_, Allen, Jochen, Radimus, Glenn Barnas, ShaneEP, Ruud van Velsen, Mart

Hop to:

Shout Box

Who's Online

0 registered and 1574 anonymous users online.

Newest Members

BeeEm, min_seow, Audio, Hoschi, Comet
17882 Registered Users

Generated in 0.064 seconds in which 0.024 seconds were spent on a total of 13 queries. Zlib compression enabled.

click tracking