NNPS / TCP port 433

Thu Oct 28 07:24:37 UTC 2021

Hi Grant,

> IANA has the following three ports registered for NNTP:
> 
> NNTP  - 119 - RFC 3977 - unencrypted & explicit encryption via STARTTLS
> NNSP  - 433 - RFC 3977 - unspecified
> NNTPS - 563 - RFC 4642 - implicit encryption via TLS

And also a less known 532 port:
netnews	- 532 - readnews

https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml?&page=10

Still reserved for Netnews, but no longer used nowadays (it used to by a 
Microsoft reader client decades ago, but I have no more information).

> RFC 3977 has "STARTTLS" but discusses it on TCP port 119.

Because it is more detailed in RFC 4642 (defining STARTTLS) which was 
updated by RFC 8143 (discouraging STARTTLS, in benefit to implicit TLS 
connections, amongst other things).

> RFC 3977 also states:    The official TCP port for the NNTP service is 
> 119.  However, if a host wishes to offer separate servers for transit 
> and reading clients, port 433 SHOULD be used for the transit server and 
> 119 for the reading server.
> 
> This second statement makes me think that the only difference between 
> TCP ports 119 and 433 is their intended purpose.  This seems reminiscent 
> of SMTP's MTA port 25 and MSA port 587, both of which are unencrypted / 
> explicit encryption via STARTTLS.
> 
> So ... what should the NNSP / TCP port 433 be?  My inclination is that 
> NNSP / TCP port 433 is identical to NNTP / TCP port 119.
> 
> What say you?

That's right, as Russ answered earlier.

Nonetheless, I have another question, now that implicit TLS is the 
preferred way to use TLS.

- For news servers with both transit and reader facilities on the same 
daemon, port 119 can be used unencrypted, and port 563 with TLS (even 
for the transit facility by the way).
Port 433 remains unencrypted for the transit facility, if a separate 
port is needed.

- For mode-switching news servers like INN, port 119 can be used 
unencrypted for transit and reader facilities, and port 563 with TLS for 
reader.
Port 433 remains unencrypted for the transit facility.  And then the 
question is: what should be done for transit with implicit TLS?  We 
cannot run 2 innd instances (one for unencrypted connections, another 
one for implicit TLS).  Wouldn't we need a 4th port for that?
Or say port 433 is for implicit TLS for mode-switching servers?  (But 
then, separating unencrypted transit and reader cannot be done.)

-- 
Julien ÉLIE

« Ta remise sur pied lui a fait perdre la tête ! » (Astérix)