There's an hour of my life I won't get back ..

Dec. 30th, 2008 09:47 am
[identity profile] lihan161051.livejournal.com posting in [community profile] techrecovery
Note to campus IT admins: When you're setting up SSL on your SMTP servers, it really, really helps if you *tell* people you set up SSL on TCP 587 and not on TCP 465 like everyone else. Especially if your SMTP server only tells people to use SSL within the 5xx error that's causing the mail client to reject a known good name/password, and *doesn't* mention that it's on a nonstandard port. And if you're not using TCP 465 for SSL, it would be nice to explain why the f*** you're doing it that way, as long as that explanation doesn't include "we didn't know how to put it on the right port".

(It doesn't help any that said campus IT admin is in the same .edu domain through which I initially had Internet access back in the mid-80's, nor does it help that this .edu domain was my first exposure to SMTP, back when everyone used unauthenticated SMTP on TCP 25 because most people could be trusted not to spam.)

No love. :p
  • Add Memory
  • Share This Entry
Flat | Top-Level Comments Only

Date: 2008-12-30 04:18 pm (UTC)
From: [identity profile] margaretc.livejournal.com
Sigh.
Yeah, it would be nice.

Please tell me they've got their SSL-ed IMAP service on 993, at least. Or that they tell people that they're using a different port for THAT, too.


(Note - the icon was taken from a picture of an actual campus server room A/C duct. I share your pain.)

Date: 2008-12-30 05:47 pm (UTC)
From: [identity profile] lihan161051.livejournal.com
Oh ye gods and goddesses -- cringing at the thought of where those fibers are probably ending up in the server machines. :S

Yeah, the IMAP was configured the conventional way. It was just the SMTP that was bass-ackwards. :)

Date: 2008-12-30 05:03 pm (UTC)
From: [identity profile] spiker-uk.livejournal.com
Hmm. I'd say that using 587/tcp for SMTP-over-SSL for offsite users is certainly gaining strong consensus in the .edu world; I know in my last job (in an .ac.uk) we didn't hesitate to use 587 instead of 465 -- but we did make sure everyone knew!

Date: 2008-12-30 05:52 pm (UTC)
From: [identity profile] lihan161051.livejournal.com
Yeah, ordinarily I wouldn't care -- I've heard of some .com hosting sites using 2525 for SSL SMTP. Shrug. It's the not telling the users part that bugs me. I rant enough about uninformed/clueless end users that it's an order of magnitude more annoying when a *service provider*, whatever their TLD might be, makes it worse by not being proactive enough about telling people when they really do need to know some odd/unorthodox thing about how to make it work. If I couldn't find it, trust me, it's not documented anywhere near well enough.

Hell, at the very least, the 5xx error the server was throwing for non-SSL authentications could at least have either mentioned which port to use, or had the URL of the IT admin page with the full instructions in it. Wouldn't have been hard to configure. If it's not in an RFC somewhere, it really does need to be documented locally, and thoroughly, so at least the clueful users can find what they need.

Date: 2008-12-30 05:54 pm (UTC)
From: [identity profile] lihan161051.livejournal.com
.. because some of us actually do **read** the logs ..

Date: 2008-12-30 06:00 pm (UTC)
jsbillings: (Default)
From: [personal profile] jsbillings
It's not unusual to have 587 open as an SMTP submission port, and requiring TLS is definitely advisable when a user is submitting a username/password.

I think 465 is just an SSL-wrapped SMTP session usually, but what mail clients support SMTP/S and not SMTP/TLS?

Date: 2008-12-30 09:45 pm (UTC)
From: [identity profile] jimbojones.livejournal.com
Running SSL SMTP on 587 is fairly normal, actually - 587 is the canonical ESMTP (authenticated smtp) port.

I'm with jsbillings, wtf supports SSL-wrapped SMTP but doesn't do TLS?

Date: 2008-12-31 12:04 am (UTC)
ext_8716: (Default)
From: [identity profile] trixtah.livejournal.com
SMTPS (http://www.mail-archive.com/postfix-users@postfix.org/msg04154.html) (over, surprise surprise, TCP 465), which was deprecated about 6 billion years ago (thereabouts)

Date: 2008-12-31 12:00 am (UTC)
ext_8716: (Default)
From: [identity profile] trixtah.livejournal.com
Um, TCP 587 is the well-known email submission port, that commonly uses some kind of authentication method.

It's not HTTP SSL.

Date: 2008-12-31 12:05 am (UTC)
ext_8716: (Default)
From: [identity profile] trixtah.livejournal.com
Or SMTPS.

Date: 2008-12-31 04:12 am (UTC)
From: [identity profile] anthalus.livejournal.com
Well if they don't tell anyone, then it really is secure...

Date: 2008-12-31 05:37 am (UTC)
From: [identity profile] japester.livejournal.com
[x]~> grep 465 /etc/services
igmpv3lite 465/udp # IGMP over UDP for SSM
urd 465/tcp # URL Rendesvous Directory for SSM # [RFC4656]


'the fu' are they doing running SMTP/TLS over port 465?
587 *is* the accepted port for doing this? Don't ask me why it's called submission though. I'm missing my matching domination port.

Date: 2009-01-07 10:43 am (UTC)
delta_mike: (Default)
From: [personal profile] delta_mike
I would just like to add that Single-Source Multicast (SSM) is very cool.
  • Add Memory
  • Share This Entry
Flat | Top-Level Comments Only

Profile

techrecovery: (Default)
Elitist Computer Nerd Posse
Tech Comedy (Reddit)

April 2017

S M T W T F S
      1
2345678
91011121314 15
16171819202122
23242526272829
30      

Most Popular Tags

Page Summary

Style Credit

Expand Cut Tags

No cut tags
Page generated Mar. 25th, 2026 01:06 pm
Powered by Dreamwidth Studios