COMMAND

    IIS

SYSTEMS AFFECTED

    IIS 4.0 with SMTP Server component

PROBLEM

    Seifried found following.  The smtp server listens on port 25  (so
    what?) and port 465 as well.  Port 465 (according to Microsoft) is
    reserved for SSL/SMTP as mentioned in:

      Article ID: Q176102 in the Microsoft KB

    This 'feature'  is particularily  nasty IMHO  because in  the SMTP
    control  panel  in  the  MMC  there  is  no  mention/hint of this,
    according to the default settings in fact only port 25 is  listed,
    and there is no mention of 465.  What does this mean?  Many  sites
    restrict access  to their  mail servers,  via firewalls/etc,  this
    easily  allows  someone  to  circumvent  certain types of security
    setups.

    Russ Cooper added following comments. Some additional background:

        ftp://ietf.org/internet-drafts/draft-hoffman-smtp-ssl-07.txt

    is the current  draft protocol location.  In it, the  following is
    stated:

        C. Revocation of smtps Port

        An IANA port registration was made for an "smtps" port for use
        as a TLS-negotiated SMTP port. The email community has reached
        rough consensus  that widespread  use of  such a  port will be
        harmful to the  performance, interoperability and  security of
        SMTP.  This document  hereby revokes the IANA  registration of
        the "smtps" port and forbids future registration of a port for
        any "secure  SMTP" service.  IANA is  directed to  replace the
        port   registration   with   an   indication   that  the  port
        registration was  revoked, including  the effective  date. Two
        years after the effective date of revocation, the port may  be
        re-registered for a different purpose.

    The IANA registration  for TLS (formerly  SSMTP) was port  465. It
    should be noted that this document is dated December 1,  1998(typo
    ???), and the IANA port list still shows TLS at 465.

    ftp://ietf.org/internet-drafts/draft-ietf-tls-protocol-05.txt
    provides further information on TLS v1.0, and in it:

        E. Backward Compatibility With SSL

        For  historical  reasons  and  in  order to avoid a profligate
        consumption of  reserved port  numbers, application  protocols
        which  are  secured  by  TLS  1.0,  SSL  3.0,  and SSL 2.0 all
        frequently share  the same  connection port:  for example, the
        https protocol  (HTTP secured  by SSL  or TLS)  uses port  443
        regardless of which security protocol it is using. Thus,  some
        mechanism  must  be  determined  to  distinguish and negotiate
        among the various protocols.

    This documented is dated December  1, 1997, so it would  seem that
    Microsoft's implementation of TLS did not adhere to this  standard
    proposal (or  came just  before that  change??).   Given the  IETF
    stated position  on TLS,  Russ is  refering to  it from  now on as
    MS-TLS since its Microsoft's implementation and not "standard".
    Microsoft's Option Kit documentation does document the use of
    MS-TLS within the SMTP component of IIS, but they fail to mention
    anywhere that it would use port 465.  An exhaustive search of
    Microsoft's site, the KB, TechNet, and MSDN, failed to turn up
    any MS-reference to MS-TLS operating over 465.  Lacking detail
    from MS, looking at the IETF docs would imply it shouldn't be on
    465 (that it would be on 443 instead).

SOLUTION

    Rather obviously, firewall port 465.  You CANNOT disable the  port
    465 thing  at all  from the  MMC/HTML online  admin.  Removing the
    binding to  port 25  and setting  it to  another (even  465) still
    leaves the SMTP server talking on 465.

    According to Tim Poulsen you  can edit the metabase to  change the
    port number of the SMTPS service.  MetaEdit, the metabase  editor,
    is available with the IIS4 resource kit.  Open the  \LM\SmtpSvc\1\
    key.  There are  two values that look  appropriate, SecureBindings
    and RemoteSmtpSecurePort.  Change the values of these from 465  to
    another value of  your choice.   (If you're running  more than one
    SMTP "site"  you will  need to  change the  number "1"  in the key
    noted above to match the  appropriate number for your SMTP  site.)
    Actually  changing  the  :465:  in \LM\SmtpSvc\1\ServerBindings to
    :25: seems to not cause any  problems, ie the only port with  MS's
    SMTP server now  running on it  is port 25.   Deleting it  doesn't
    seem like such  a great idea  but doesn't cause  any problems that
    crop up immediately,  the server can  still send mail  no problem.
    So, if you  have this problem  the solution is  easy.  Go  out and
    spend $50 on the IIS Resource Kit, ISBN 1-57231-638-1 and  install
    metaedit.