[Cryptography] SUBMIT is not SMTP, was IAB Statement on Internet Confidentiality

John Levine johnl at iecc.com
Tue Nov 18 23:54:17 EST 2014

In article <20141119005359.GA27477 at mail2.oyvay.nu> you write:
>On Tue, Nov 18, 2014 at 03:24:53PM -0000, John Levine wrote:
>> These were mobile networks with consumer users, not backbones with
>> fixed MTAs.  The ony mail software you find on mobile consumer
>> networks is MUAs, which are doing submission, not SMTP.  These days,
>Um, not SMTP? Then what protocol does the MUA use for submission?

It uses SUBMIT, which is similar but not identical to SMTP.  See RFC
6409 which updates RFC 4409, published in 2006.  That was eight years
ago, and it's a little dismaying to find people that far out of date
pontificating about how mail works.

>For certain values of "misconfigured."  Some sites may need to support
>older MUAs that use port 25 by default.  That's sometimes known as
>"legacy support."

MUAs have had port 587 support since about 2006.  If you're running an
MUA that hasn't been updated in eight years, you're probably also
running Windows XP so we're doing the world a favor by forcing you to
upgrade.  Also keep in mind that the networks in question are mobile
carriers, where "legacy" phones able to run an MUA are unlikely to be
more than two or three years old and all can handle SUBMIT correctly.

>So what am I missing here? if a device is botted, it doesn't matter
>whether the submission port is 25 or 587; The attacker can use the
>credentials stored on the device, and send spam via either port.  So why
>is it okay for the ISP to break TLS on port 25 and not on port 587?

Ahem.  Port 25 is SMTP, which bots use to send spam directly to
victims on recipient MTAs.  Port 587 is SUBMIT, which MUAs use to send
mail (which might be spam) to their own provider's MTA, which then
takes responsibility and deals with it.

In practice, the vast majority of MUAs are correctly configured to use
port 587, and nearly all of the port 25 traffic from consumer networks
is bot spam.  That's why the best practice is to block it outright,
not try to filter it.  As I mentioned in a recent message, that's been
well known for a decade.


More information about the cryptography mailing list