SSL Port Clarification

  • Thread starter Thread starter Jeff Pencosky
  • Start date Start date
J

Jeff Pencosky

Hi,

We have noticed this particular behavior in Outlook and I was hoping an MS
Engineer could provide some insight:

When using any other port than 25, starttls does not assume encryption from
the start. For example in using Port 465 the session would begin clear text
and then be encrypted after the connection is made. In reality the session
should begin encrypted. I believe this same behavior also occurs when using
port 587.

Is this the expected behavior? Is there a workaround for this? Does
Microsoft have a method for bug reporting this? Thanks in advance!

- Jeff
 
What version of Outlook do you have? If Outlook 2002, have you installed at
least SP-1? The released version of Outlook 2002 only used TLS (encryption
negotiated within the SMTP session). In SP-1, this was changed to try TLS
first if the port was 25, then fall back to SSL (initiate encryption before
starting the SMTP session) if that failed, and the other way around (try
SSL, fall back to TLS on failure) if the port was not 25.
 
Hi Jeff,

Thanks for your quick reply! Outlook 2003 is our recommended client here at
the university, however we do have many students using Outlook 2002.
Our concern here is for the proper behavior to do what you are doing on port
25 for port 587:

a) Start the session unencrypted and issue the EHLO.
b) If STARTTLS is advertised, do it.
c) After STARTTLS, check the AUTH line for new mechanisms

For port 465, it is the correct behavior to start the session encrypted.

Just as a sidenote to this, as to the why(s), we have discovered that some
student/staff internet providers may be using a transparent smtp proxy and
thus, when they try to connect to the campus smtp on port 25 they actually
get their provider's smtp server and are unable to connect to our campus
mail servers. Hence our using of port 465 and 587.

Thanks again,

Jeff Pencosky, Windows Support
Carnegie Mellon University
 
That's a good point - we should start with TLS behavior on port 587 as well,
since it's the "submit" port. I'll file a bug on that. However, even if
Outlook doesn't start with TLS on 587, it should fall back to it when SSL
fails - if you want to force users to use TLS rather than SSL on this port,
just don't allow SSL connections.
 
Back
Top