what's smtpd_tls_wrappermode 'non standart' ?

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

what's smtpd_tls_wrappermode 'non standart' ?

Miwa Susumu
Hi all.

Does 'the non-standard "wrapper" mode' refer to SMTPS using port 465?

smtpd_tls_wrappermode
http://www.postfix.org/postconf.5.html#smtpd_tls_wrappermode
> Run the Postfix SMTP server in the non-standard "wrapper" mode, instead of using the STARTTLS command.


I think SMTPS using port 465 is 'standard' in RFC8314
https://tools.ietf.org/html/rfc8314

Is SMTPS using port 465 called 'standard' ?

--
miwarin
Reply | Threaded
Open this post in threaded view
|

Re: what's smtpd_tls_wrappermode 'non standart' ?

Dominic Raferd
​​On Tue, 24 Jul 2018 at 09:06, Miwa Susumu <[hidden email]> wrote:
Hi all.

Does 'the non-standard "wrapper" mode' refer to SMTPS using port 465?
smtpd_tls_wrappermode
http://www.postfix.org/postconf.5.html#smtpd_tls_wrappermode
> Run the Postfix SMTP server in the non-standard "wrapper" mode, instead of using the STARTTLS command.
I think SMTPS using port 465 is 'standard' in RFC8314
https://tools.ietf.org/html/rfc8314

TL;DR - yes

My understanding (corrections welcome):

What is called '​wrapper mode' in Postfix docs is called 'implicit TLS' in this RFC8314 (which is new @ Jan 2018). This has normally been on port 465 - often known as 'smtps' (including in Postfix, which also terms 587 as 'submission'). Note that the RFC says that term 'smtps' is outdated [7.3] and instead describes 'the "submissions" service (default port 465)' [3.3] - confusingly I think.

The RFC discourages STARTTLS (normally on port 587) for MUA -> MTA (but not for MTA -> MTA) in favour of implicit TLS on 465. However many (most?) of us use STARTTLS on 587 for authenticated connections, not least because implicit TLS has only become a standard with the issue of this new RFC.

So instead of 'wrapper mode' I think the Postfix documents should say "implicit TLS (formerly 'wrapper mode')", and references to it being 'non-standard' should come out. Maybe the option 'smtpd_tls_wrappermode' should be aliased to 'smtpd_tls_implicit'. But let's give Wietse some time to catch up, he probably has more important things ;-)
Reply | Threaded
Open this post in threaded view
|

Re: what's smtpd_tls_wrappermode 'non standart' ?

Miwa Susumu
hi.

2018-07-24 18:24 GMT+09:00 Dominic Raferd <[hidden email]>:

>> Does 'the non-standard "wrapper" mode' refer to SMTPS using port 465?
>> smtpd_tls_wrappermode
>> http://www.postfix.org/postconf.5.html#smtpd_tls_wrappermode
>> > Run the Postfix SMTP server in the non-standard "wrapper" mode, instead
>> > of using the STARTTLS command.
>> I think SMTPS using port 465 is 'standard' in RFC8314
>> https://tools.ietf.org/html/rfc8314
>
>
> TL;DR - yes
>
> My understanding (corrections welcome):
>
> What is called 'wrapper mode' in Postfix docs is called 'implicit TLS' in
> this RFC8314 (which is new @ Jan 2018). This has normally been on port 465 -
> often known as 'smtps' (including in Postfix, which also terms 587 as
> 'submission'). Note that the RFC says that term 'smtps' is outdated [7.3]
> and instead describes 'the "submissions" service (default port 465)' [3.3] -
> confusingly I think.
>
> The RFC discourages STARTTLS (normally on port 587) for MUA -> MTA (but not
> for MTA -> MTA) in favour of implicit TLS on 465. However many (most?) of us
> use STARTTLS on 587 for authenticated connections, not least because
> implicit TLS has only become a standard with the issue of this new RFC.

thanks.
it's confusing ;-0


> So instead of 'wrapper mode' I think the Postfix documents should say
> "implicit TLS (formerly 'wrapper mode')", and references to it being
> 'non-standard' should come out. Maybe the option 'smtpd_tls_wrappermode'
> should be aliased to 'smtpd_tls_implicit'. But let's give Wietse some time
> to catch up, he probably has more important things ;-)

ok.
I expect it :)

--
miwarin