Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: exim: users

Tls on connect as and SMTP Client

 

 

exim users RSS feed   Index | Next | Previous | View Threaded


bill at themilfords

Feb 2, 2007, 8:37 PM

Post #1 of 12 (1762 views)
Permalink
Tls on connect as and SMTP Client

Hello All,
I deliver my mail using a smarthost router to my ISP - AT&T Yahoo DSL. They just sent a memo out that
effective March 1, 2007 they are requiring us to use TLS-ON-CONNECT on port 465 to send mail. I have read
the sections in the manual about TLS and exim as a client and didn't see anything that will allow me to
set tls-on-connect as a client. I know I can use port = 465 in the transport to force the traffic to
SSMTP port. Does this tls-on-connect option exist for SMTP clients?

Bill



--
## List details at http://www.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://www.exim.org/eximwiki/


mh+exim-users at zugschlus

Feb 3, 2007, 7:25 AM

Post #2 of 12 (1739 views)
Permalink
Re: Tls on connect as and SMTP Client [In reply to]

On Fri, 2 Feb 2007 22:37:41 -0600, "Bill Milford"
<bill [at] themilfords> wrote:
>I deliver my mail using a smarthost router to my ISP - AT&T Yahoo DSL. They just sent a memo out that
>effective March 1, 2007 they are requiring us to use TLS-ON-CONNECT on port 465 to send mail. I have read
>the sections in the manual about TLS and exim as a client and didn't see anything that will allow me to
>set tls-on-connect as a client. I know I can use port = 465 in the transport to force the traffic to
>SSMTP port. Does this tls-on-connect option exist for SMTP clients?

AFAIK, exim cannot do tls-on-connect as a client. tls-on-connect is an
obsolete protocol that was never standardized beyond being the only
thing supported by some Microsoft clients.

Considering that you're talking about the symbiosis of Yahoo and AT&T,
I suspect that you would be better off by talking to a sign post on
the street into offering STARTTLS on Port 587.

Maybe the recipe given at
http://www.technovelty.org/linux/tips/exim4ssmtp.html can help here.
Please notice that the recipe uses the expression "ssmtp", which is
also a reference to a different, non-exim MTA, not to be confused.

Please report back if it works, I'd like to document this in the
Debian exim docs. If Yahoo requires this obsolete mechanism, we're
going to get a lot of queries about this.

That being said, it would be great if yahoo would also support
STARTTLS on tcp/587.

Greetings
Marc

--
-------------------------------------- !! No courtesy copies, please !! -----
Marc Haber | " Questions are the | Mailadresse im Header
Mannheim, Germany | Beginning of Wisdom " | http://www.zugschlus.de/
Nordisch by Nature | Lt. Worf, TNG "Rightful Heir" | Fon: *49 621 72739834

--
## List details at http://www.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://www.exim.org/eximwiki/


wbh at conducive

Feb 3, 2007, 8:07 AM

Post #3 of 12 (1729 views)
Permalink
Re: Tls on connect as and SMTP Client [In reply to]

Bill Milford wrote:
> Hello All,
> I deliver my mail using a smarthost router to my ISP - AT&T Yahoo DSL. They just sent a memo out that
> effective March 1, 2007 they are requiring us to use TLS-ON-CONNECT on port 465 to send mail. I have read
> the sections in the manual about TLS and exim as a client and didn't see anything that will allow me to
> set tls-on-connect as a client. I know I can use port = 465 in the transport to force the traffic to
> SSMTP port. Does this tls-on-connect option exist for SMTP clients?
>
> Bill
>
>
>

Quite aside from the 'how' - left to others - is the 'why'.

Is that information posted on the AT&T/Yahoo website, or otherwise public?

It seems one must already be a customer to get past the adverts to technical
data (if any!).


Port 465 was 'officially' reassigned by the IANA just about a year ago - to a
proprietary Cisco protocol that has nothing to do with smtp.

See:

http://www.iana.org/assignments/port-numbers

and find:

urd 465/tcp URL Rendesvous Directory for SSM
igmpv3lite 465/udp IGMP over UDP for SSM
# Toerless Eckert <eckert [at] cisco>



The port assigned for 'submission' is 587, op cit:

submission 587/tcp Submission
submission 587/udp Submission
# [RFC4409]


per RFC 4409, STARTTLS 'MAY' be offered, and conventionally *usually is* advertised.

Other forms of security/encryption for AUTH, traffic, and/or the link itself are
mentioned, but none are specifically required or prohibited. Port 587 is
considered a 'local' port in the sense that it does not abitrarily 'reach out
and touch' the internet at large. IOW - an entity configuring oddly affects only
their own 'constituency' - so the rules are more about 'how to do properly' than
'must always do TLS' (or even limit to 'smtp' vs 'cousins').

That could be seen as leaving an opening for AT&T/Yahoo to offer their
user-community SSL/TLS_on_connect via port 587 instead of TLS.

But the year-old re-assignment of 465 to other use does no such thing.

"Legacy" or no, 465 is no longer appropriate for mail at all.

JM2CW - YMMV.

Bill Hacker



--
## List details at http://www.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://www.exim.org/eximwiki/


richard at highwayman

Feb 3, 2007, 8:50 AM

Post #4 of 12 (1719 views)
Permalink
Re: Tls on connect as and SMTP Client [In reply to]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

In message <45C4B345.3080601 [at] conducive>, W B Hacker
<wbh [at] conducive> writes

>Is that information posted on the AT&T/Yahoo website, or otherwise public?

http://help.sbcglobal.net/article.php?item=287

>It seems one must already be a customer to get past the adverts to technical
>data (if any!).

say that you are using sbcglobal and DSL

>Port 465 was 'officially' reassigned by the IANA just about a year ago - to a
>proprietary Cisco protocol that has nothing to do with smtp.

:(

- --
richard Richard Clayton

They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety. Benjamin Franklin

-----BEGIN PGP SIGNATURE-----
Version: PGPsdk version 1.7.1

iQA/AwUBRcS9XpoAxkTY1oPiEQLPkQCfQ64Yx9l/T/qgcZF7QmTPTM0dL3kAn0MS
bium9Wv10CFCG28OQOYVylHJ
=XeAA
-----END PGP SIGNATURE-----

--
## List details at http://www.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://www.exim.org/eximwiki/


mh+exim-users at zugschlus

Feb 3, 2007, 8:55 AM

Post #5 of 12 (1735 views)
Permalink
Re: Tls on connect as and SMTP Client [In reply to]

On Sun, 04 Feb 2007 00:07:33 +0800, W B Hacker <wbh [at] conducive>
wrote:
>Port 465 was 'officially' reassigned by the IANA just about a year ago - to a
>proprietary Cisco protocol that has nothing to do with smtp.

But Microsoft mail clients are still officially using it and do not
have any other possibility to to encrypted authentication.

Now, what's more official?

IANA was extremely short-sighted by not keeping 465/tcp free for
Microsoft's abuse.

Greetings
Marc

--
-------------------------------------- !! No courtesy copies, please !! -----
Marc Haber | " Questions are the | Mailadresse im Header
Mannheim, Germany | Beginning of Wisdom " | http://www.zugschlus.de/
Nordisch by Nature | Lt. Worf, TNG "Rightful Heir" | Fon: *49 621 72739834

--
## List details at http://www.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://www.exim.org/eximwiki/


wbh at conducive

Feb 3, 2007, 9:13 AM

Post #6 of 12 (1730 views)
Permalink
Re: Tls on connect as and SMTP Client [In reply to]

Marc Haber wrote:
> On Sun, 04 Feb 2007 00:07:33 +0800, W B Hacker <wbh [at] conducive>
> wrote:
>> Port 465 was 'officially' reassigned by the IANA just about a year ago - to a
>> proprietary Cisco protocol that has nothing to do with smtp.
>
> But Microsoft mail clients are still officially using it and do not
> have any other possibility to to encrypted authentication.
>

Actually, I believe they do.

Even new-enough-to-know-better SeaMonkey, no 'clone' of Redmond, will 'default'
to 465 if SSL is selected.

Naturally, it also defaults to 587 if TLS is selected.

But even if Outlook/OE don't have the TLS choice, and/or 'SSL' *is* selected,
the 'newer' releases should also have the ability to manually override the port
number.

Not that this is what is ordinarily wanted...

> Now, what's more official?

LOL! ..not gonna go there...

>
> IANA was extremely short-sighted by not keeping 465/tcp free for
> Microsoft's abuse.
>
> Greetings
> Marc
>

No - this one cannot be laid at Redmond's doorstep. (Maybe THAT should be noted
as a rare exception..

;-)

*Most* MUA were equipped to be able to use 465 for a dozen and more years before
TLS was finalized. And most still are so enabled. Is there even one new one that
is not so capable?

I also do not recall any MS staff being involved in the *very* long-running
standards re-write, extensive discussion, and even outright conflict over the
port and protocol use. MS 'followers' maybe, but not 'official' support.

MS just, as usual, went along for the ride when they did not have control.

587, BTW - at least as far as final write-up, is basically a Eudora project, and
DOES try to avoid re-opening the 'war'.

Bill


--
## List details at http://www.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://www.exim.org/eximwiki/


dlugo at etherboy

Feb 3, 2007, 9:28 AM

Post #7 of 12 (1726 views)
Permalink
Re: Tls on connect as and SMTP Client [In reply to]

On Sat, 3 Feb 2007, Richard Clayton wrote:
>
> http://help.sbcglobal.net/article.php?item=287
>
> >It seems one must already be a customer to get past the adverts to technical
> >data (if any!).
>
> say that you are using sbcglobal and DSL
>

Ugh, dunno why they're not offering something like require TLS on
587.

As a workaround, you can _probably_ use stunnel as a shim between
your local exim instance, and your provider.

Set stunnel to listen on something like 127.0.0.2:25, and point
exim to that as a smarthost w/ auth. Tell stunnel the remote end
of the connection is your provider.

www.stunnel.org

--
--------------------------------------------------------
Dave Lugo dlugo [at] etherboy LC Unit #260 TINLC
Have you hugged your firewall today? No spam, thanks.
--------------------------------------------------------
Are you the police? . . . . No ma'am, we're sysadmins.

--
## List details at http://www.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://www.exim.org/eximwiki/


eximlists at milfordmail

Feb 3, 2007, 9:23 PM

Post #8 of 12 (1731 views)
Permalink
Re: Tls on connect as and SMTP Client [In reply to]

> -----Original Message-----
> From: exim-users-bounces [at] exim [mailto:exim-users-bounces [at] exim] On Behalf Of Dave Lugo
> Sent: Saturday, February 03, 2007 11:29 AM
> To: exim-users [at] exim
> Subject: Re: [exim] Tls on connect as and SMTP Client
>
> On Sat, 3 Feb 2007, Richard Clayton wrote:
> >
> > http://help.sbcglobal.net/article.php?item=287
> >
> > >It seems one must already be a customer to get past the adverts to technical
> > >data (if any!).
> >
> > say that you are using sbcglobal and DSL
> >
>
> Ugh, dunno why they're not offering something like require TLS on
> 587.
>
> As a workaround, you can _probably_ use stunnel as a shim between
> your local exim instance, and your provider.
>
> Set stunnel to listen on something like 127.0.0.2:25, and point
> exim to that as a smarthost w/ auth. Tell stunnel the remote end
> of the connection is your provider.
>
> www.stunnel.org
>
>
[Bill Milford]
I have gotten it to work using stunnel as a daemon in client mode. I added an extra ip address to my
loopback interface and pointed my router there. I also added a local_interfaces directive in my exim
configure file to keep exim from listening on port 25 on the 127.0.0.2.

I am shocked that yahoo will not support STARTTLS. They appear to be using qmail so it should be very
easy. I know that the reason they use 465 is because of Microsoft's broken clients. Anyone know if
Outlook in Office 2007 still has this problem?

I was going to post the email I received, but Richard found the link on the support pages. Port 25 will
work until March 1st. After that it is TLS-on-connect on 465 or bust!

Thank you for all of your help.


--
## List details at http://www.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://www.exim.org/eximwiki/


jwblist3 at olympus

Feb 4, 2007, 3:42 PM

Post #9 of 12 (1721 views)
Permalink
Re: Tls on connect as and SMTP Client [In reply to]

On 2/3/07 9:23 PM, "Bill Milford" <eximlists [at] milfordmail> wrote:

> I am shocked that yahoo will not support STARTTLS. They appear to be using
> qmail so it should be very
> easy. I know that the reason they use 465 is because of Microsoft's broken
> clients. Anyone know if
> Outlook in Office 2007 still has this problem?

The Outlook in the beta of Office 2007 can be configured to do TSL on port
587. One would hope that made it into the final product (which I'll never
have).

I don't know about Microsoft Mail (formerly Outlook Express) which I'll also
never have.

--John



--
## List details at http://www.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://www.exim.org/eximwiki/


wbh at conducive

Feb 4, 2007, 5:10 PM

Post #10 of 12 (1720 views)
Permalink
Re: Tls on connect as and SMTP Client [In reply to]

Bill Milford wrote:
>
*snip*

>
> I am shocked that yahoo will not support STARTTLS.

*snip*

It appears that they do. Or did.

Google turned up instructions for setting to 587.

http://help.yahoo.com/mail/pop/pop-06.html

Bottom paragraph.

Bill




--
## List details at http://www.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://www.exim.org/eximwiki/


eximlists at milfordmail

Feb 4, 2007, 7:07 PM

Post #11 of 12 (1740 views)
Permalink
Re: Tls on connect as and SMTP Client [In reply to]

> -----Original Message-----
> From: exim-users-bounces [at] exim [mailto:exim-users-bounces [at] exim] On Behalf Of W B Hacker
> Sent: Sunday, February 04, 2007 7:11 PM
> To: exim users
> Subject: Re: [exim] Tls on connect as and SMTP Client
>
> Bill Milford wrote:
> >
> *snip*
>
> >
> > I am shocked that yahoo will not support STARTTLS.
>
> *snip*
>
> It appears that they do. Or did.
>
> Google turned up instructions for setting to 587.
>
> http://help.yahoo.com/mail/pop/pop-06.html
>
> Bottom paragraph.
>
[Bill Milford]

They currently support 25 & 587 but do not support TLS on those ports. See the swaks example below:

# swaks -s smtp.att.yahoo.com -p 587 -q HELO -tls
=== Trying smtp.att.yahoo.com:587...
=== Connected to smtp.att.yahoo.com.
<- 220 smtp109.sbc.mail.mud.yahoo.com ESMTP
-> EHLO mail2.milfordmail.com
<- 250-smtp109.sbc.mail.mud.yahoo.com
<- 250-AUTH LOGIN PLAIN XYMCOOKIE
<- 250-PIPELINING
<- 250 8BITMIME
*** STARTTLS not supported
-> QUIT
<- 221 smtp109.sbc.mail.mud.yahoo.com
=== Connection closed by foreign host.
#

Bill



--
## List details at http://www.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://www.exim.org/eximwiki/


wbh at conducive

Feb 4, 2007, 7:23 PM

Post #12 of 12 (1726 views)
Permalink
Re: Tls on connect as and SMTP Client [In reply to]

Bill Milford wrote:
>
>> -----Original Message-----
>> From: exim-users-bounces [at] exim [mailto:exim-users-bounces [at] exim] On Behalf Of W B Hacker
>> Sent: Sunday, February 04, 2007 7:11 PM
>> To: exim users
>> Subject: Re: [exim] Tls on connect as and SMTP Client
>>
>> Bill Milford wrote:
>> *snip*
>>
>>> I am shocked that yahoo will not support STARTTLS.
>> *snip*
>>
>> It appears that they do. Or did.
>>
>> Google turned up instructions for setting to 587.
>>
>> http://help.yahoo.com/mail/pop/pop-06.html
>>
>> Bottom paragraph.
>>
> [Bill Milford]
>
> They currently support 25 & 587 but do not support TLS on those ports. See the swaks example below:
>
> # swaks -s smtp.att.yahoo.com -p 587 -q HELO -tls
> === Trying smtp.att.yahoo.com:587...
> === Connected to smtp.att.yahoo.com.
> <- 220 smtp109.sbc.mail.mud.yahoo.com ESMTP
> -> EHLO mail2.milfordmail.com
> <- 250-smtp109.sbc.mail.mud.yahoo.com
> <- 250-AUTH LOGIN PLAIN XYMCOOKIE
> <- 250-PIPELINING
> <- 250 8BITMIME
> *** STARTTLS not supported
> -> QUIT
> <- 221 smtp109.sbc.mail.mud.yahoo.com
> === Connection closed by foreign host.
> #
>
> Bill
>
>

And they have that setting in a paragraph strongly advising encryption and
presenting it as part of such a solution.

Must be a whole lot of villages missing their idiots just to staff Yahoo's mail
admin slots.

Bill




--
## List details at http://www.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://www.exim.org/eximwiki/

exim users RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.