Closed Bug 383877 Opened 18 years ago Closed 12 years ago

SMTP config UI should offer option to use "message submission" port per RFC 4409

Categories

(MailNews Core :: Security, enhancement)

Product:
MailNews Core
Component:
Security
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED WORKSFORME

People

(Reporter: nelson, Unassigned)

References

(
URL
)

Details

Attachments

(1 file)

Proposed UI
10.48 KB, image/gif
Details
Attached image Proposed UI
MailNews: Security is probably the wrong component for this bug, but I think the same people who fixed bug 185662 are the right people to address this bug, and bug 185662 was given this component. Today, the email config (prefs) UI for outgoing mail servers only offers to use one port, port 25. The user can change it to another port IFF the user knows of another port to use. For several years now, port 25 has NOT been the preferred port for Mail User Agents (MUAs, clients) to submit new outgoing emails to Mail Transfer Agents (MTAs, servers). Port 25 is now for MTA-to-MTA (server to server) communications. RFC 2476 (Dec 1998) and its successor, RFC 4409 (Apr 2006), define a "message submission" port, for MUAs to use when sending new outgoing emails to their mail service provider's MTA. The message submission port (port 587) uses SMTP (as does port 25). From the MTA's perspective, it is just a different port number, but is otherwise the same as port 25 for outgoing messages. In an effort to reduce spam, many MUAs no longer accept emails from dynamic IP addresses or from IP subnets that are known to be end-user subnets (e.g. cable or DSL networks) on port 25. They only accept emails from such subnets on port 587, and they only accept emails from known users (subscribers) on those ports. Since this new "standard" is now 8 years old, it's time for us to support it in Thunderbird and SeaMonkey. IMO, we really should offer it as the default outgoing SMTP port number, and offer a way (e.g. a radio button) for the user to select port 25 as an alternative. Attached is a mockup of one way this could be presented to the user. I'm sure Mozilla's UI guru's can improve on it. :)
I meant to write: "From the MUA's perspective, it's just a different port"
Some servers don't support message submission agent port. Standard email communication port is tcp 25. Some MSA features are controversial or allow mailers to violate other email standards. I would like to suggest NOT defaulting to tcp 587 in outgoing smtp port. PS. I am not Mozilla developer and I haven't asked to mail me new Mozilla bug reports.
When you say "[The] Standard email communication port is tcp 25." I think you mean "the port that all us old-timers have been using since forever is port 25", and I agree with that. I'm one of those old-timers too. But the standard is evolving. Just as SSL2 was once the standard, and is now no longer used, so the use of port 25 as the MUA->MTA submission port is now a thing of the past.
"[The] Standard email communication port is tcp 25". As in http://www.iana.org/assignments/port-numbers. --- smtp 25/tcp Simple Mail Transfer smtp 25/udp Simple Mail Transfer ... submission 587/tcp Submission submission 587/udp Submission --- MSA is not evolution of SMTP. It is extra feature liked by some people, because their ISP blocks TCP 25. If people start running more open relays on MSA or SMTP over SSL ports, ISPs will block these ports too. ESMTP (rfc 1869) is evolution of SMTP standard. Postfix, Exim, Qmail. All three use only TCP 25 by default. I know only one server that opens MSA port by default. It is Sendmail. If message submission is thing of the past in your setup, it does not mean that it is thing of the past in other setups. If you've decided to accept message submissions only on MSA port, don't ask all mail programs to use that port by default in order to reduce your support queries. Selection box for SMTP, MSA and SMTP-over-SSL ports - good idea. People won't have to remember port numbers. Defaulting to MSA port - bad one. By defaulting to non standard port you will create support queries. Even default smtp authentication causes issues. Your proposal adds port issues.
Of the three smtp servers I have access to (Exchange, Postfix and Sendmail), none respond on port 587. So I don't think it's worth adding UI for...
I think the issue is not "how many products configured it by default?", but rather is "how many Thunderbird users' mail service providers (typically their ISPs) expect them to use port 587?". I think most (if not all) of the major ISPs in the USA do. I can't speak for ISPs outside of the USA.
(In reply to comment #6) > I think the issue is not "how many products configured it by default?", > but rather is "how many Thunderbird users' mail service providers > (typically their ISPs) expect them to use port 587?". Shouldn't these reasonably correlate quite well?
> Shouldn't these reasonably correlate quite well? No, larger ISPs pay a lot of attention to their server configuration and do not rely on product defaults so heavily. They also tend to use server software that scales to very large numbers of users, which little of the low-end server software does, IMO.
(In reply to comment #6) > I think the issue is not "how many products configured it by default?", > but rather is "how many Thunderbird users' mail service providers > (typically their ISPs) expect them to use port 587?". > I think most (if not all) of the major ISPs in the USA do. http://dictionary.reference.com/search?q=generalization&x=0&y=0 > I can't speak for ISPs outside of the USA. > Comcast uses SMTP over SSL. http://www.comcast.com/customers/faq/FaqDetails.ashx?ID=2344 Earthlink uses MSA http://kb.earthlink.net/case.asp?article=127339 AOL uses MSA http://members.aol.com/adamkb/aol/mailfaq/imap/ 1and1 uses SMTP and MSA http://tinyurl.com/afopm British Telecom use SMTP with AUTH http://tinyurl.com/34gawh (vista mail defaults to 25 port) T-Online.de uses SMTP with AUTH http://service.t-online.de/c/16/88/63/1688630.html XS4ALL uses SMTP http://www.xs4all.nl/helpdesk/software/email/win/mail/handmatig.php Lithuanian Telecom uses SMTP with AUTH. http://mano.zebra.lt/duk.php?srvc_id=1#18 Page is in Lithuanian, but pictures are not. Please stop generic claims that "all use MSA" without proving it. You use MSA. I don't use. If spammers start abusing MSA and SMTP over SSL ports, I'll block those just like I block third party SMTP servers.
I think both of you have good arguments for your viewpoints and yes, I also see some problems offering ONLY port 587 as default. On the other hand I think we will find a remedy by considering the following two points. a) ENISA [1], the European Network and Information Security Agency, published a survey for ISPs/ESPs mainly within the European Union and asked the providers whether they offer Message Submission (as described in RFC 4409). I could provide you with the results regarding this question probably in mid July, what will give a good overview of non-American providers offering Message Submission. I guess, that most of them will offer it, but that's irrelevant for now. b) You are not the first guys who bother about the issue between port 25 and 587. Currently up-to-date in version 07 is a draft for a BCP at the IETF of Hutzler et al [2] discussing amongh other things the problem for the transition to Message Submission. Personally I really like this draft and I suggest you, Nelson, to adopt its recommendations to your proposal and give us a new possible solution. In detail this draft describes: "As delivered from the factory, MUAs SHOULD attempt to find the best possible submission port from a list of alternatives. That list SHOULD include the SUBMISSION port 587 as well as port 25. The ordering of that list SHOULD try the SUBMISSION port 587 before trying port 25, and MAY try other ports before, between, or after those two ports. Since most MUAs available today do not permit falling back to alternate ports, sites SHOULD pre-configure or encourage their users to connect on the SUBMISSION port 587, assuming that site supports that port." Especially the proposals in b) should make a consent of all participants of this discussion possible. Moreover, I __HIGHLY__ recommend the Mozilla community to integrate this or similar changes into future releases, since Email Submission will play a more important role in the next years. /Christian [1]: http://www.enisa.europa.eu/pages/02_03_news_2007_06_08_ENISA_ISP_Spam.htm [2]: http://www.ietf.org/internet-drafts/draft-hutzler-spamops-07.txt PS: Nelson, I guess you meant _MSA_ and not MUA in this statement: "In an effort to reduce spam, many MUAs no longer accept emails from dynamic IP addresses or from IP subnets that are known to be end-user subnets (e.g. cable or DSL networks) on port 25."
In reply to comment 9, most of the named (American) ISPs offer mail submission over port 587 also. Comcast (the largest one) certainly does.
In reply to my comment 10 point a) it figured out, that only a fourth of the providers offer this service on port 587 officially. However, I can best imagine they provide it unofficially, and we (tinw) could put pressure on them to do so. Nelson, did you think about my proposals made in b)? I would highly appreciate a current status of the development (i.e. whether you are going to implement it like proposed). Thanks
Product: Core → MailNews Core
Red Hat Linux distributions now ship with a sendmail config that is easily set to enable port 587 submission. (My server listens on both, and allows authenticated users to relay.) I had a Tbird user contact me today from a hotel that blocked 25, and he needed to know what port to use to send email. Due to widespread ISP blocking of outbound 25, more and more business servers are listening on 587 for remote users.
Perhaps the smtp dialog should say Default: 25 or 587 ... for the cases where we shod Default: 25 now. The new quick account setup already prefers 587 iirc.
587 is the default nowadays. -> WFM
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: