which port to use for SSL/TLS?
in [Postfix]
|
From: John Peach on 21 May 2010 15:40 On Fri, 21 May 2010 15:35:55 -0400 Phil Howard <ttiphil(a)gmail.com> wrote: > On Fri, May 21, 2010 at 15:29, John Peach <postfix(a)johnpeach.com> > wrote: > > > 465 is for SMTP over SSL, which is deprecated. > > > > What is deprecated? Using port 465? Or doing SMTP over SSL? SMTP over SSL > Unfortunately, I need to do the latter because of some network > security and access issues (and for like reason am doing IMAP over > SSL on port 993 and POP over SSL on port 995). > > I could go ahead and do SMTP over SSL on port 465. Are you sure it > won't conflict with anything? Just use port 465 if you want, but the submission port would make more sense (587) > > I'm doing optional STARTTLS (e.g. smtpd_tls_security_level=may and > smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination) > on port 25. > > What should I be doing on port 587? Why not use "smtpd_tls_security_level = encrypt" on port 587? http://www.postfix.org/TLS_README.html -- John
From: Wietse Venema on 21 May 2010 15:42 Phil Howard: > I'm doing optional STARTTLS (e.g. smtpd_tls_security_level=may and > smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination) > on port 25. > > What should I be doing on port 587? There's an example submission (port 587) service in recent master.cf files: #submission inet n - n - - smtpd # -o smtpd_tls_security_level=encrypt # -o smtpd_sasl_auth_enable=yes # -o smtpd_client_restrictions=permit_sasl_authenticated,reject # -o milter_macro_daemon_name=ORIGINATING This example should also have -o smtpd_sasl_tls_security_options=noanonymous to allow plain-text passwords over TLS. Wietse
From: Phil Howard on 21 May 2010 16:04 On Fri, May 21, 2010 at 15:40, John Peach <postfix(a)johnpeach.com> wrote: > Why not use "smtpd_tls_security_level = encrypt" on port 587? > The remote site involved is tunneling these connections through something like SSL, as far as I can tell. It works fine on port 993 for IMAP. Why is SMTP over SSL depricated while others over SSL are not? Seems inconsistent. OTOH, almost everything over TCP could have a use for an SSL variant. But with no consistent way to do STARTTLS on all protocols, there would be no clear way to engage it short of a designated port ... or creating a new transport (e.g. something that could have been called TCPTLS or such). OK, I can do SMTP over TLS/SSL on port 465 (with a slight and unlikely risk of usage collision). So what is port 587 for?
From: Charles Marcus on 21 May 2010 16:15 On 2010-05-21 4:04 PM, Phil Howard wrote: > OK, I can do SMTP over TLS/SSL on port 465 (with a slight and unlikely > risk of usage collision). So what is port 587 for? ? This question has been answered at least 3 or 4 times in this very thread. port 465 is for SMTP+SSL this is DEPRECATED and has been for a long time port 587 is for SMTP+STARTTLS this is the designated SMTP SUBMISSION port The submission port should always be used instead of port 465 unless you must support older clients like Outlook Express and older versions of Outlook that will only do SMTP+SSL over port 465. -- Best regards, Charles
From: Phil Howard on 21 May 2010 16:43
On Fri, May 21, 2010 at 16:15, Charles Marcus <CMarcus(a)media-brokers.com> wrote: > On 2010-05-21 4:04 PM, Phil Howard wrote: >> OK, I can do SMTP over TLS/SSL on port 465 (with a slight and unlikely >> risk of usage collision). So what is port 587 for? > > ? This question has been answered at least 3 or 4 times in this very thread. > > port 465 is for SMTP+SSL > this is DEPRECATED and has been for a long time > > port 587 is for SMTP+STARTTLS > this is the designated SMTP SUBMISSION port > > The submission port should always be used instead of port 465 unless you > must support older clients like Outlook Express and older versions of > Outlook that will only do SMTP+SSL over port 465. I don't want to use port 465 because it isn't an unassigned port (though even unassigned has a risk that it could become assigned later on). But I need to use SMTP over TLS/SSL. It's not due to a client, but instead, due to networking (tunnelled TCP connections). It seems my choice is between using 465 or using some unassigned arbitrary port. Maybe 60025? |