> > I use POP3, smtp *and* SSL. They are not mutually exclusive!!
>
> Of course not - SSL just encapsulates the POP3 and SMTP protocols.
on this point i have one question. What about standards in SMTP &
SSL? By mi search, the standard is SMTP + STARTTLS and not SSL + SMTP.
Can someone explain me this, please?
regards
--
Slavko
http://slavino.sk
07-08-2012, 11:59 AM
Camaleón
Filezilla a security risk
On Sun, 08 Jul 2012 08:55:15 +0200, Slavko wrote:
> Dňa Sun, 8 Jul 2012 00:04:33 -0400 Celejar <celejar@gmail.com> napÃ*sal:
>
>> > I use POP3, smtp *and* SSL. They are not mutually exclusive!!
>>
>> Of course not - SSL just encapsulates the POP3 and SMTP protocols.
>
> on this point i have one question. What about standards in SMTP & SSL?
> By mi search, the standard is SMTP + STARTTLS and not SSL + SMTP.
>
> Can someone explain me this, please?
There are different implementations, all of them standarized:
While imaps (tcp/993), pop3s (tcp/995) and smtps (tcp/587) make use of
specific computer ports, imap, pop3 and smtp using "STARTTLS" keep the
same ports that their non-encrypted counterparts (143/110/25) to transmit
clear text credentials protected.
When/why using one or another?
Well, when opening ports is not possible (consider a restricted
environment) or as Wikipedia¹ explains, independency and transparency
seen as a plus when using this extension.
¹http://en.wikipedia.org/wiki/STARTTLS
Greetings,
--
Camaleón
--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: http://lists.debian.org/jtbsnm$s8h$7@dough.gmane.org
> > By mi search, the standard is SMTP + STARTTLS and not SSL + SMTP.
> There are different implementations, all of them standarized:
>
> While imaps (tcp/993), pop3s (tcp/995) and smtps (tcp/587) make use of
> specific computer ports, imap, pop3 and smtp using "STARTTLS" keep the
> same ports that their non-encrypted counterparts (143/110/25) to
> transmit clear text credentials protected.
grep smtps /etc/services
ssmtp 465/tcp smtps # SMTP over SSL
can you please tell me the RFC about SMTPS?
> Well, when opening ports is not possible (consider a restricted
> environment) or as Wikipedia¹ explains, independency and transparency
> seen as a plus when using this extension.
i know about differences both of the implementations.
regards
--
Slavko
http://slavino.sk
07-08-2012, 03:14 PM
Camaleón
Filezilla a security risk
On Sun, 08 Jul 2012 16:41:43 +0200, Markus Schönhaber wrote:
> 08.07.2012 13:59, Camaleón:
>
>> While imaps (tcp/993), pop3s (tcp/995) and smtps (tcp/587) make use of
>
> smtps was defined as 465/tcp. 587/tcp is message submission which does
> not provide encryption on the transport layer.
They are used for the same purpose (secure smtp) but the former is now
depretacted. What I did not know is that the new standard can be used
with or without security (starttls) in the same port.
Greetings,
--
Camaleón
--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: http://lists.debian.org/jtc84a$s8h$10@dough.gmane.org
07-08-2012, 03:21 PM
Erwan David
Filezilla a security risk
On 08/07/12 17:14, Camaleón wrote:
> On Sun, 08 Jul 2012 16:41:43 +0200, Markus Schönhaber wrote:
>
>> 08.07.2012 13:59, Camaleón:
>>
>>> While imaps (tcp/993), pop3s (tcp/995) and smtps (tcp/587) make use of
>> smtps was defined as 465/tcp. 587/tcp is message submission which does
>> not provide encryption on the transport layer.
> They are used for the same purpose (secure smtp) but the former is now
> depretacted. What I did not know is that the new standard can be used
> with or without security (starttls) in the same port.
>
> Greetings,
>
The ISP Free in France uses smtp-submission, without SSL but with only
CRAM-MD5 and DIGEST-MD5 authentication methods, or smtps with PLAIN/LOGIN
It is another solution (they explained that their architecture was not
well adapted to starttls, since the smtp sessions and the SSL crypto are
not done by the same servers).
--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 4FF9A597.1010400@rail.eu.org">http://lists.debian.org/4FF9A597.1010400@rail.eu.org
07-08-2012, 04:26 PM
Henrique de Moraes Holschuh
Filezilla a security risk
On Sun, 08 Jul 2012, Markus Schönhaber wrote:
> 08.07.2012 13:59, Camaleón:
> > While imaps (tcp/993), pop3s (tcp/995) and smtps (tcp/587) make use of
>
> smtps was defined as 465/tcp. 587/tcp is message submission which does
> not provide encryption on the transport layer.
Yeah, and 465/tcp use for SMTP over SSL was dropped in ~1998[1], and
IANA eventually assigned 465/tcp and 465/udp to other services. 465/tcp
is assigned to URD SSM, and 465/udp to igmpv3lite over UDP.
As usual in things like this, it was a bad move in hindsight: giving up
on port 465 became a drawback about five years later, when the world
started moving past the SSL crap and single-domain-constrained X.509
that existed in 1998 [2], to (still broken) TLSv1.0 and RFC3546, and
later to TLS v1.1+ and RFC 4366.
The same reasoning works for imap and imaps. Fortunately, nobody gave
up on the 993/tcp imaps port, so it remains assigned to imaps by IANA.
pop3s never had any starttls alternative, and 995/tcp remains assigned
to pop3s.
Now, if ops people were more active on the relevant IETF workgroups, we
might have a TLS port for the submission service, which would help
deployments of hardware TLS endpoints (which is probably the only good
reason to still support port 465 for smtps, actually).
--
"One disk to rule them all, One disk to find them. One disk to bring
them all and in the darkness grind them. In the Land of Redmond
where the shadows lie." -- The Silicon Valley Tarot
Henrique Holschuh
--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20120708162646.GB15477@khazad-dum.debian.net">http://lists.debian.org/20120708162646.GB15477@khazad-dum.debian.net
07-08-2012, 04:33 PM
Erwan David
Filezilla a security risk
Le Sun 8/07/2012, Henrique de Moraes Holschuh disait
>
> The same reasoning works for imap and imaps. Fortunately, nobody gave
> up on the 993/tcp imaps port, so it remains assigned to imaps by IANA.
> pop3s never had any starttls alternative, and 995/tcp remains assigned
> to pop3s.
STLS extension for pop3 is defined by RFC 2595. (I do not know why pop3 commands always have 4 characters...)
--
Erwan
--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20120708163336.GA5837@rail.eu.org">http://lists.debian.org/20120708163336.GA5837@rail.eu.org
07-08-2012, 05:10 PM
Camaleón
Filezilla a security risk
On Sun, 08 Jul 2012 18:51:59 +0200, Markus Schönhaber wrote:
> 08.07.2012 17:14, Camaleón:
>
>> On Sun, 08 Jul 2012 16:41:43 +0200, Markus Schönhaber wrote:
>>
>>> 08.07.2012 13:59, Camaleón:
>>>
>>>> While imaps (tcp/993), pop3s (tcp/995) and smtps (tcp/587) make use
>>>> of
>>>
>>> smtps was defined as 465/tcp. 587/tcp is message submission which does
>>> not provide encryption on the transport layer.
>>
>> They are used for the same purpose (secure smtp) but the former is now
>> depretacted.
>
> For some definition of "purpose", maybe [1] Stating that 587/tcp was
> smtps is simply wrong, because it implies encryption on the network
> layer.
When you replace a standard with another it would be fair to say that
both share the same essence and they are aimed to solve the same problem.
Moreover, the fact it can also use encryption is what makes it
interesting because for non-encrypted communication there's already smtp
(tcp/25) so the new standard (RFC 6409) can be seen as the succesor of
the old smtps.
>> What I did not know is that the new standard can be used with or
>> without security (starttls) in the same port.
>
> Which makes "the new standard" something very different.
To my eyes, not that different in the end.
> [1] For example: MUAs should connect to this port to send outgoing mail.
Greetings,
--
Camaleón
--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: http://lists.debian.org/jtcetj$s8h$17@dough.gmane.org
07-09-2012, 01:21 PM
Camaleón
Filezilla a security risk
On Sun, 08 Jul 2012 19:48:44 +0200, Markus Schönhaber wrote:
> 08.07.2012 19:10, Camaleón:
>
>> On Sun, 08 Jul 2012 18:51:59 +0200, Markus Schönhaber wrote:
(...)
>>> For some definition of "purpose", maybe [1] Stating that 587/tcp was
>>> smtps is simply wrong, because it implies encryption on the network
>>> layer.
>>
>> When you replace a standard with another it would be fair to say that
>> both share the same essence and they are aimed to solve the same
>> problem.
>
> That doesn't change the fact that one is encrypted on the network layer
> while the other is not.
Which one, exactly?
> Especially - in contrast to what your statement implied - 587/tcp is not
> encrypted on the network layer.
Yes, it is. Or better put, it can be.
>>> Which makes "the new standard" something very different.
>>
>> To my eyes, not that different in the end.
>
> Yeah.
> Your statement that 587/tcp was smtps is simply wrong. I just corrected
> your wrong statement - nothing more. Why you feel the need to go to a
> great length to convince someone (whoever that might be) that your wrong
> statement was somehow right is completely beyond me.
If you are happy in thinking so I'm not going to try to change your mind.
Sigh.
Greetings,
--
Camaleón
--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: http://lists.debian.org/jtelt4$sc9$6@dough.gmane.org
Filezilla a security risk
