[tor-relays] Ports 465 and 587 vanished from reduced exit policy?

[grarpamp]

On Wed, Jun 24, 2015 at 8:38 PM, Mike Perry <mikeperry at torproject.org> wrote:
> It appears that some years ago someone quietly removed port 465 and 587
> from the reduced exit policy at
> https://trac.torproject.org/projects/tor/wiki/doc/ReducedExitPolicy
> without an explanation.

> these ports should only be used for
> user-authenticated SMTP, and not spam.

465 was originally for SMTPS relay (the pretty TLS wrapped complement to
25/SMTP relay) back when MUA's were still dumping direct to MTA's per the
even older open relay model. Thus authentication was not really mandated
there, nor was it universal. (Today 465 is a bastard child that should
be killed).

Then STARTTLS was rolled out and 25 became able to speak both
SMTP and STARTTLS SMTP (again, both with irregular authentication).
With STARTTLS you'd sometimes see STARTTLS SMTP behind 465 SMTPS
as a config lol (kill it).

The IETF revoked the redundant use of 465 for MTA and assigned it to SSM
(killed it in the late 1990's). Spam drove 587/SUBMISSION for segregating
relay use, and 25 banned relay.

587/SUBMISSION requires authentication and has effectively always used
STARTTLS. It is intended to relay outbound mail from end users client MUA.
(Users can still deliver to recipient if the mailpath from their IP to somewhere
behind 25 at recipient.dom wasn't blocked by some control freak.)

After Heartbleed and Snowden made everyone at least consider looking
at their configs, usage everywhere became even more conformant but
still has some way and education to go.


I'd correct 587 to say SUBMISSION (with optional blurb in parens for
perpetual dummies still looking for "SMTPS" even though it isn't).

And be somewhat aware that some 465 somewhere might lack auth,
just as some 25 might equivalently open relay.

Why the exit policy list perpetuates old verbage of broken SSL everywhere
instead of TLS is another day.