[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: exit policy



Andrew schrieb:
NavouWiki schrieb: As for end-to-end encryption, you could allow exit only
to ports that are commonly used by encrypted protocols (like 443 for https,
465 for SMTPS, 993 for IMAPS... browse wikipedia to continue that list to
your satisfaction).
I just want to add: The recommended way to do encrypted smtp, imap, pop3 is to
use the the 'old' ports and issue a STARTTLS/STLS command at the beginning of
the communication which switches to TLS.
Also see:
http://tools.ietf.org/html/rfc2595
http://tools.ietf.org/html/rfc3207

(There is also a STARTTLS for http (http://tools.ietf.org/html/rfc2817), but I
don't know if any websites make use of it.)

But the message is again: don't rely on port numbers. ;-) Connections to Ports
25, 110, 143 may be encrypted and 'safe' as well.
(Additionally there is no real reason to expect 'bad guys' using only
unencrypted connections. ;-) )

Dominik