[Cryptography] SUBMIT is not SMTP, was IAB Statement on Internet Confidentiality

Viktor Dukhovni cryptography at dukhovni.org
Wed Nov 19 18:42:12 EST 2014

On Wed, Nov 19, 2014 at 02:37:11PM -0800, Abe Singer wrote:

> Regarding the justification of breaking the encrytped, authenticated
> session to check for spam, if an ISP considers that activity on port
> 587 to be acceptable, then it really has no justification do
> otherwise for the same on port 25.

This is the cryptography list.  I think we can have naive discussion
of email protocols and infrastructure somewhere else.


 *  An ISP was observed to strip STARTTLS on port 25, rather than
    block the port outright.

 *  While this could have been nefarious, it is far more likely an
    anti-spam measure.  Of course opinions about whether anti-spam
    measures by ISPs are nefarious or not vary.

 *  Most MUAs should be using port 587 submission, and would not have
    been affected.

 *  The clients in question were exceedingly unlikey to have been MTAs.

 *  MITM resistance for MTA-to-MTA traffic is available non-scalably
    via bilateral agreements between peer systems.

 *  MITM resistance for MTA-to-MTA traffic is also available scalably
    via DNSSEC + DANE, but current deployment numbers for DNSSEC
    and the sheer novelty of DANE for SMTP mean that coverage is
    for now *very* thin.  Initial deployments are mostly in Germany.

 *  Some folks on this list don't give a hoot about TLS for SMTP
    transport, since it is not end-to-end.  Indeed SMTP transport
    security does not protect data at rest.

I think that about covers it.  Perhaps we can move on.


More information about the cryptography mailing list