Subj : BINKP over TLS
To   : Alexey Fayans
From : Alan Ianson
Date : Thu Dec 19 2019 02:41 pm

Hello Alexey,

AI>> I don't think STARTTLS is what we want today.

AF> Why?

Because of what I have read others say on the subject. I really have no good
idea why it is frowned upon.

The first encounter I had with binkps was about a year ago when SSL/TLS was
introduced in Mystic. Mystic has oppotunistic SSL/TLS support. It had to be
oppotunistic since James knew at the outset there would be mailers in the mix
that did not support SSL/TLS. James received a lot of feedback on the subject
that implicit TLS was the way to go rather that Opportunistic.

Since then I have looked up the subject. There is a mountain of information on
the subject and I have not read it all, but I don't see folks adopting STARTTLS
today, only depricating it.

AI>> In the early going of TLS it was probably the only way forward
AI>> since there were many destinations that did not support TLS, that
AI>> is not the case today. I don't read of anyone adopting STARTTLS
AI>> today, only depricating it.

AF> I only see a proposal to deprecate STARTTLS _implementation_ in SMTP
AF> and other e-mail protocols because obviously implementation has flaws.
AF> If implemented properly, I don't see any reason for deprecation.

The proposal to depricate STARTTLS is enough for me to depricate it. I am
relying the the experience of others and best practise today.

AI>> If binkps over TLS was implemented today I think implicit TLS is
AI>> the way to do it.

AF> I don't agree. If it will be implemented this way, I can bet it will
AF> be adopted by less than 1% of systems.

In discussions I have had, I have recieved only possitive feedback on the idea
of implementing binkps with TLS. I will go ahead and implement binkps in my own
setup when I can, with nodes who wish it and support it.

I have done this already with Mystic's mailer (Mystic's implementation needs
work) and Synchronet's BinkIT mailer. binkps using TLS is a reality today for
those using the BinkIT mailer. I have successfully sent and recieved netmail
using Synchronet's BinkIT mailer with binkd on the remote side.

BinkIT's mailer uses implicit TLS and is very secure and I would like to be
able to do this with binkd as well, since I use binkd on my node 153/757.

If binkd could listen on a secure TLS port (24553) and poll nodes listening on
a secure port I'm sure it would be widely accepted although I wouldn't guess a
pecentage.

AI>> We need a binkps listener on port 24553 (or the post you
AI>> intend to use) and a way to start a poll to such a listener.

AF> And for that we will need a lot of software updated on a lot of
AF> systems. Which will most probably never happen.

For a start there is the BinkIT mailer that supports TLS now. There are other
mailers in use also that likely won't be updated (Argus/Irex) but I think the
binkd mailer is the most used today looking at my own logs. If binkd supported
TLS most nodes could use it if they choose to.

It would be used here at my node.

AI>> I would be willing to test TLS with you if you like, even using
AI>> STARTTLS. If we got some testing under our belt we could discover
AI>> what works and what doesn't and be in a better position to give
AI>> feedback to the binkd developer(s).

AF> I am not a true coder, at least, I don't have enough skill/time to
AF> implement any kind of TLS support in binkd. If someone will do it,
AF> I'll be happy to test.

I am going to ask some nodes who have done this for advice on how they did it
and if I can do it will netmail you my findings and we can do some testing if
you would like.

I just need to get a bit of free time.

Ttyl :-),
        Al

--- GoldED+/LNX 1.1.5-b20180707
* Origin: The Rusty MailBox - Penticton, BC Canada (1:153/757)