[Users] Unable to send messages

Slavko linux at slavino.sk
Sun Mar 13 17:47:35 CET 2022 

Ahoj,

Dňa Sun, 13 Mar 2022 16:24:06 +0100 Michael Rasmussen via Users
<users at lists.claws-mail.org> napísal:

> If we are talking compliancy the proper solution should be STARTTLS
> and port 587. SSL/TLS and port 465 is deprecated as well.

Did you read previously linked RFC 8314?

Port 465, while deprecated for SMTP about two decades ago, is
registered by IANA for "Submission over TLS" now. STARTTLS is suggested
only as fallback for old clients, which are not able to use SubmissionS,
by that RFC.

Even Debian oldstable know it:

grep submission /etc/services 
submissions	465/tcp		ssmtp smtps urd # Submission
over TLS [RFC8314] submission	587/tcp
	# Submission [RFC4409]

You cannot mix SMTP and Submission (RFC 6409) together. Yes they both
use the same SMTP protocol for underlying commands exchange, but there
are different requirements/rules/roles defined for both.

Clients (MUAs) have to use Submission(S) ports, not the STMP port, which
is reserved for MTA <-> MTA communication only nowadays...

-------------------

By my understanding RFC 8314, the MUA have to use ports in order:

1. "Use TLS" (465/tcp with unconditional TLS)
2. "Use STARTTLS" (587/tcp with unconditional STARTTLS)

Only then there have to be other possibilities, for special cases, eg.
when one use MTA on localhost, the (START)TLS can be useless.

3. "Don't use SSL/TLS (but, if necessary, use STARTTLS)"

(it si not clear for me, how CM decides when it is necessary tu use it)

Anyway, i will suggest to change the logic for "Don't use TLS" from
that form to:

3. "Try STARTTLS (use plain if TLS is not supported by server)" (25/tcp)

(supported = advertised in EHLO response, or perhaps when STARTTLS
fails, eg. due not common TLS versions or cipher suite, try again plain)

Which can suggest one new option (unconditionally plain, if someone
know what is doing, it will be little more effective do not try
STARTTLS if it always fail):

4. "Don't use TLS" (25/tcp)

The similar logic to apply for IMAP/POP settings.

And when one is creating new account, the "Use TLS" have to be selected
by default. It doesn't matter how are server's settings. If someone do
net set this manually (properly), in worse case its connection will
fail, but no credentials will be set over network in plain form...

Current defaults can leads to send not encrypted credentials over
network and this is not optimal from user's prespective.

regards

-- 
Slavko
https://www.slavino.sk
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 488 bytes
Desc: Digit��lny podpis OpenPGP
URL: <http://lists.claws-mail.org/pipermail/users/attachments/20220313/b4892dfa/attachment.sig>

More information about the Users mailing list