I use a role to submit email through an SMTP server specific to the
domain of the email address in question. I use either the /ssl or /tls
parameter, depending on what works through trial and error. I also
submit the username and the password is stored in the passfile.

I think you've explained that /tls is really STARTTLS, which I've always
found confusing.

I've been unable to send email through one SMTP server. I get the 100%
submitted, but the test message hasn't been received at one of my other
addresses.

I added /submit and the test message was received.

I had assumed that by specifying /ssl or /tls, alpine used port 587. Is
that wrong? Does alpine use port 25 by default?

I changed all my roles to add /submit.

On Thu, 17 Mar 2022, Adam H. Kerman wrote:

> I think you've explained that /tls is really STARTTLS, which I've always
> found confusing.

I agree. I added an alias "/starttls" to make it less confusing

> I've been unable to send email through one SMTP server. I get the 100%
> submitted, but the test message hasn't been received at one of my other
> addresses.
>
> I added /submit and the test message was received.
>
> I had assumed that by specifying /ssl or /tls, alpine used port 587. Is
> that wrong? Does alpine use port 25 by default?

Yes, Alpine uses the default port for any connection whose port is not
specified in some way. Let me make that a little bit more clear:

smtp.server.com

means to connect in port 25, so doing

smtp.server.com/tls

means to connect in port 25 and do STARTTLS in that port. The correct port
to do /tls is port 587, so you have to add this as

smtp.server.com:587/tls

However, Alpine has a shortcut for that ant it is

smtp.server.com:587/tls = smtp.server.com/submit

This is the same when you speciy other means to connect such as

smtp.server.com/ssl

which is equivalent to

smtp.server.com/ssl = smtp.server.com:465/ssl

in other words the modifier also modifies the connection port. For
security reasons always prefer /ssl over STARTTLS, so if you can change
/submit to /ssl do that, otherwise /submit is the next best thing.

I hope this helps.

--
Eduardo
https://tinyurl.com/yc377wlh (web)
http://repo.or.cz/alpine.git (Git)

Eduardo Chappa <chappa@washington.edu> wrote:
>On Thu, 17 Mar 2022, Adam H. Kerman wrote:

>>I think you've explained that /tls is really STARTTLS, which I've always
>>found confusing.

>I agree. I added an alias "/starttls" to make it less confusing

Thanks!

>>I've been unable to send email through one SMTP server. I get the 100%
>>submitted, but the test message hasn't been received at one of my other
>>addresses.

>>I added /submit and the test message was received.

>>I had assumed that by specifying /ssl or /tls, alpine used port 587. Is
>>that wrong? Does alpine use port 25 by default?

>Yes, Alpine uses the default port for any connection whose port is not
>specified in some way. Let me make that a little bit more clear:

>smtp.server.com

>means to connect in port 25, so doing

>smtp.server.com/tls

>means to connect in port 25 and do STARTTLS in that port. The correct port
>to do /tls is port 587, so you have to add this as

>smtp.server.com:587/tls

>However, Alpine has a shortcut for that ant it is

>smtp.server.com:587/tls = smtp.server.com/submit

/submit means STARTTLS and port 587? I've never read that in the help
text. Does /submit allow it to step down to an unencrypted connection if
STARTTLS fails? I'd prefer to avoid that.

>This is the same when you speciy other means to connect such as

>smtp.server.com/ssl

>which is equivalent to

>smtp.server.com/ssl = smtp.server.com:465/ssl

/ssl means port 465? I thought we're not supposed to use that port for
SSL as it's never been officially assigned.

>in other words the modifier also modifies the connection port. For
>security reasons always prefer /ssl over STARTTLS, so if you can change
>/submit to /ssl do that, otherwise /submit is the next best thing.

Does /submit/ssl use port 587?

>I hope this helps.

I hate to say I'm confused on a few of these points.

On Fri, 18 Mar 2022, Adam H. Kerman wrote:

> /submit means STARTTLS and port 587? I've never read that in the help
> text. Does /submit allow it to step down to an unencrypted connection if
> STARTTLS fails? I'd prefer to avoid that.

No, if STARTTLS fails there goes your session. Read more on the following
help link (if followed from alpine) x-alpine-help:h_folder_server_syntax

>> This is the same when you speciy other means to connect such as
>
>> smtp.server.com/ssl
>
>> which is equivalent to
>
>> smtp.server.com/ssl = smtp.server.com:465/ssl
>
> /ssl means port 465? I thought we're not supposed to use that port for
> SSL as it's never been officially assigned.

Well, that is what /ssl means, it is in the source code, but you can
specify any port.

>> in other words the modifier also modifies the connection port. For
>> security reasons always prefer /ssl over STARTTLS, so if you can change
>> /submit to /ssl do that, otherwise /submit is the next best thing.
>
> Does /submit/ssl use port 587?

That dos not do what you want it to do. This is like doing /tls/ssl. It is
contradictory and will not work.

--
Eduardo
https://tinyurl.com/yc377wlh (web)
http://repo.or.cz/alpine.git (Git)

According to Adam H. Kerman <ahk@chinet.com>:
>>This is the same when you speciy other means to connect such as
>
>>smtp.server.com/ssl
>
>>which is equivalent to
>
>>smtp.server.com/ssl = smtp.server.com:465/ssl
>
>/ssl means port 465? I thought we're not supposed to use that port for
>SSL as it's never been officially assigned.

RFC 8314 fixed that five years ago. Submit away.

--
Regards,
John Levine, johnl@taugh.com, Primary Perpetrator of "The Internet for Dummies",
Please consider the environment before reading this e-mail. https://jl.ly

John Levine <johnl@taugh.com> wrote:
>According to Adam H. Kerman <ahk@chinet.com>:

>>>This is the same when you speciy other means to connect such as

>>>smtp.server.com/ssl

>>>which is equivalent to

>>>smtp.server.com/ssl = smtp.server.com:465/ssl

>>/ssl means port 465? I thought we're not supposed to use that port for
>>SSL as it's never been officially assigned.

>RFC 8314 fixed that five years ago. Submit away.

Thank you for pointing that out.

Eduardo Chappa <chappa@washington.edu> wrote:
>On Fri, 18 Mar 2022, Adam H. Kerman wrote:

>>/submit means STARTTLS and port 587? I've never read that in the help
>>text. Does /submit allow it to step down to an unencrypted connection if
>>STARTTLS fails? I'd prefer to avoid that.

>No, if STARTTLS fails there goes your session. Read more on the following
>help link (if followed from alpine) x-alpine-help:h_folder_server_syntax

>>>This is the same when you speciy other means to connect such as

>>>smtp.server.com/ssl

>>>which is equivalent to

>>>smtp.server.com/ssl = smtp.server.com:465/ssl

>>/ssl means port 465? I thought we're not supposed to use that port for
>>SSL as it's never been officially assigned.

>Well, that is what /ssl means, it is in the source code, but you can
>specify any port.

>>>in other words the modifier also modifies the connection port. For
>>>security reasons always prefer /ssl over STARTTLS, so if you can change
>>>/submit to /ssl do that, otherwise /submit is the next best thing.

>>Does /submit/ssl use port 587?

>That dos not do what you want it to do. This is like doing /tls/ssl. It is
>contradictory and will not work.

It appears that with /ssl parameter used, /submit is ignored.

If I'm now following you, /ssl used port 465 by default and attempts TLS
1.3.

It would make my life easier if there were a chart in the help text.

Protocol tried first default port

/submit STARTTLS 587
/ssl TLS 1.3 465
/tls I'm still confused

Ok. I redid the SMTP entry in each of my roles for the second time this
week. I eliminated /submit and /tls. In each case I'm using /ssl but I
have no idea what happens if TLS 1.3 isn't available. Does that cause
failure or does it attempt TLS 1.2?

On Fri, 18 Mar 2022, Adam H. Kerman wrote:

> It appears that with /ssl parameter used, /submit is ignored.

/ssl and /submit are mutually exclusive.

> It would make my life easier if there were a chart in the help text.
>
> Protocol tried first default port
>
> /submit STARTTLS 587
> /ssl TLS 1.3 465
> /tls I'm still confused

Adam, I can see your confusion. STARTTLS is not a protocol, STARTTLS is a
command which tells the server that you are going to negotiate a secure
connection using TLS. The version of TLS that will be used depends on what
versions ot TLS where compiled into Alpine and into the server. The server
and Alpine will negotiate the highest version of TLS that both of them
support. When you see that the negotiation is being done with TLS version
1.3 it means that both Alpine and the server support it, and that is good,
but if Alpine supported only TLS 1.2, that is what would be negotiated.

Let me correct myself. It is not Alpine that supports TLS 1.2, it is
openssl. All of that negotiation is done by openssl, not Alpine. Alpine
uses openssl to negotiate the secure connection, so the table above does
not make sense in the sense you want to write.

However, one more thing. When you add /tls to a connection it means that
you will connect insecurely to that server and then use the STARTTLS
command to negotiate a secure connection. That is different than what
happens when you add /ssl, which means connecting securely to the server
from the very beginning. As I said before /ssl and /tls are mutually
exclusive.

> Ok. I redid the SMTP entry in each of my roles for the second time this
> week. I eliminated /submit and /tls. In each case I'm using /ssl but I
> have no idea what happens if TLS 1.3 isn't available. Does that cause
> failure or does it attempt TLS 1.2?

It is not TLS 1.3 that is negotiated, it is the highest version of the
protocol that both the server and alpine support. In your case it might be
TLS 1.3, or maybe something smaller if the server does not support TLS
1.3.

--
Eduardo
https://tinyurl.com/yc377wlh (web)
http://repo.or.cz/alpine.git (Git)

Eduardo Chappa <chappa@washington.edu> wrote:
>On Fri, 18 Mar 2022, Adam H. Kerman wrote:

>>It appears that with /ssl parameter used, /submit is ignored.

>/ssl and /submit are mutually exclusive.

>>It would make my life easier if there were a chart in the help text.

>> Protocol tried first default port

>>/submit STARTTLS 587
>>/ssl TLS 1.3 465
>>/tls I'm still confused

>Adam, I can see your confusion. STARTTLS is not a protocol, STARTTLS is a
>command which tells the server that you are going to negotiate a secure
>connection using TLS. The version of TLS that will be used depends on what
>versions ot TLS where compiled into Alpine and into the server. The server
>and Alpine will negotiate the highest version of TLS that both of them
>support. When you see that the negotiation is being done with TLS version
>1.3 it means that both Alpine and the server support it, and that is good,
>but if Alpine supported only TLS 1.2, that is what would be negotiated.

>Let me correct myself. It is not Alpine that supports TLS 1.2, it is
>openssl. All of that negotiation is done by openssl, not Alpine. Alpine
>uses openssl to negotiate the secure connection, so the table above does
>not make sense in the sense you want to write.

Ah

>However, one more thing. When you add /tls to a connection it means that
>you will connect insecurely to that server and then use the STARTTLS
>command to negotiate a secure connection.

Is port 587 used by default with the /tls parameter specified?

Thank you for the explanation.

>>. . .

On Sat, 19 Mar 2022, Adam H. Kerman wrote:

> Is port 587 used by default with the /tls parameter specified?

No, for any server, when you use

server.com:port/tls

you connect insecurely to server.com at that specific port. when you omit
the port, as in

server.com/tls

you connect to server.com at the default insecure port and then you
negotiate a secure connection using the STARTTLS command. In the case of
SMTP this would be port 25. Since STARTTLS exists in port 587 you would
either use

server.com:587/tls

or the equivalent

server.com/submit

I hope this helps.

--
Eduardo
https://tinyurl.com/yc377wlh (web)
http://repo.or.cz/alpine.git (Git)

Eduardo Chappa <chappa@washington.edu> wrote:
>On Sat, 19 Mar 2022, Adam H. Kerman wrote:

>>Is port 587 used by default with the /tls parameter specified?

>No, for any server, when you use

>server.com:port/tls

>you connect insecurely to server.com at that specific port. when you omit
>the port, as in

>server.com/tls

>you connect to server.com at the default insecure port and then you
>negotiate a secure connection using the STARTTLS command. In the case of
>SMTP this would be port 25. Since STARTTLS exists in port 587 you would
>either use

>server.com:587/tls

>or the equivalent

>server.com/submit

>I hope this helps.

Thanks