On Fri, May 21, 2010 at 14:48, Matt Hayes <domin...@slackadelic.com> wrote:
> On 5/21/2010 2:33 PM, Phil Howard wrote: > > I'm trying to find out what port is to be used with "always on" SSL/TLS > > (e.g. no STARTTLS command needed, it just does SSL/TLS once the TCP > > connection is made, which I understand smtpd_tls_wrappermode=yes will > > do), and the RFCs are coming up empty. I thought it was 587. But > > RFC4409 doesn't say if this is, or is not, SSL/TLS. Some mail clients > > are using 465 by default, but that isn't even official for anything > > email related. Anyone know where this port 465 came from? RFC4409 > > seems to just be about doing authentication to allow submission (e.g. > > submission protocol, smtp with authentication added). We definitely > > need to have a port running with "always on" SSL/TLS so certain access > > rules can be enforced at firewalls (that I seriously doubt can be easily > > made to verify that STARTTLS gets used). In theory, this would be the > > same as if I used stunnel listening on (probably) 587 and reconnecting > > back to [::1]:25 (aside from losing the ability to do any connection > > peer IP address checks). > > > > > Well, you can put SSL/TLS on any port really. Submission being 587, > pop3s being 995, smtps being 465.. which ports are you wanting SSL/TLS on? > I want it on a non-conflicting port, or at least one I know I won't ever use (which is pretty much the null set). According to *ftp://ftp.iana.org/assignments/port-numbers* port 465 is assigned to something else: # Theodore Ts'o <tytso*MIT.EDU> urd 465/tcp URL Rendesvous Directory for SSM igmpv3lite 465/udp IGMP over UDP for SSM So that leaves me with: # Jon Postel <postel*isi.edu> 24/tcp any private mail system 24/udp any private mail system # Rick Adams <rick*UUNET.UU.NET> smtp 25/tcp Simple Mail Transfer smtp 25/udp Simple Mail Transfer and: submission 587/tcp Submission submission 587/udp Submission It does look like these: # Vera Heinau <heinau*fu-berlin.de> # Heiko Schlichting <heiko*fu-berlin.de> telnets 992/tcp telnet protocol over TLS/SSL telnets 992/udp telnet protocol over TLS/SSL imaps 993/tcp imap4 protocol over TLS/SSL imaps 993/udp imap4 protocol over TLS/SSL ircs 994/tcp irc protocol over TLS/SSL ircs 994/udp irc protocol over TLS/SSL # Christopher Allen <ChristopherA*consensus.com> pop3s 995/tcp pop3 protocol over TLS/SSL (was spop3) pop3s 995/udp pop3 protocol over TLS/SSL (was spop3) and a few others are clearly over TLS/SSL (and not just STARTTLS as an option). Since port 25 must stay clear for acceptance of (insecure) mail exchange, at least it could use STARTTLS (why not?). So I wasn't expecting that submission (starting in the clear) would need a separate port (e.g. its current standard of 587 ... and apparently not over TLS/SSL). There seems to not be enough ports, if submission and/or STARTTLS are more than just mere extensions to SMTP. I guess I can use port 24?
