Note: Using port 465 for SMTPS is deprecated; one should use STARTTLS on normal SMTP on port 25 or client e-mail submissions on port 587 instead. Port 465 has even been officially reassigned to the “URL Rendezvous Directory” service.
If you’re worried about man-in-the-middle protocol downgrade attacks, check the DANE DNS record for the mail server (and verify the DNSSEC signature); if the DANE record says to use TLS, but the SMTP connection doesn’t accept STARTTLS, raise the shenanigans alert.
How many serious SMTP servers in the entire industry have DANE records with DNSSEC signatures? Didn't the major mail providers just push SMTP-STS specifically so people wouldn't have to bother with DANE?
MTA-STS was made by, and for, the big providers, and it shows. MTA-STS is not a practical standard for small players, and is unlikely to be widely adopted except by Big Email.
Given that, by definition, the majority of end users are on “Big Email”, if all of them adopt it, it will already have vastly more practical benefits than DANE has had thus far.
That said, I’ve looked around a bit and it doesn’t seem like it’s actually impractical to set up MTA-STS for your own server, unless I’m missing something? (For reference, I’ve been skimming https://roll.urown.net/server/mail/mta-sts.html ). Can you elaborate on why it’s not practical for small players?
Maybe because he doesn't like serving https? Many people object to that, while they're fine with the DNS only part (you need to be able to curl https://mta-sts.DOMAIN/.well-known/mta-sts.txt )
This is factually wrong. Your information is deprecated.
Historically, yes 465 has been deprecated several years ago. But as many ISP and the largest email services kept using it, the IANA had to change its tune and 'resurrected' port 465 in this RFC.
It is funny: the RFC itself describes that as a wart, but reality is a harsh mistress.
Please read the outlined section 3-3 of RFC 8314 from 2018 that explain just that if you don't believe me.
Of course, this still doesn’t mean that using 465 is a good idea; ports 25 and 587 with STARTTLS (using DANE for downgrade protection) should still be preferred to using 465, which the RFC does clarify.
(sorry if I insisted. A lot of people still believe 465 is deprecated. I wanted to correct that)
For preference, the RFC also mentions implicit SSL is the goal.
Given how far it has come, with 465 now being resurrected, I will not be surprised when in the future STARTTLS becomes deprecated - and maybe other ports besides 465.
All it takes is a few large email providers to stop accepting port 587 ... and 25. Just look at how everybody has jumped into using DKIM and MTA-STS which are way more complicated and ugly, but almost required if you want your email delivered.
https://tools.ietf.org/html/rfc8314#section-3.3