Phil Howard a écrit : > I'm trying to find out what port is to be used with "always on" SSL/TLS > (e.g. no STARTTLS command needed, it just does SSL/TLS once the TCP > connection is made, which I understand smtpd_tls_wrappermode=yes will > do), and the RFCs are coming up empty. I thought it was 587. But > RFC4409 doesn't say if this is, or is not, SSL/TLS. Some mail clients > are using 465 by default, but that isn't even official for anything > email related. Anyone know where this port 465 came from? RFC4409 > seems to just be about doing authentication to allow submission (e.g. > submission protocol, smtp with authentication added). We definitely > need to have a port running with "always on" SSL/TLS so certain access > rules can be enforced at firewalls (that I seriously doubt can be easily > made to verify that STARTTLS gets used). In theory, this would be the > same as if I used stunnel listening on (probably) 587 and reconnecting > back to [::1]:25 (aside from losing the ability to do any connection > peer IP address checks). >
if you mean "wrapper mode ssl" (aka smtps), then $ grep smtps /etc/services ssmtp 465/tcp smtps # SMTP over SSL this is non standard. but it's used by outlook and by other "people". in the old days, people kept adding new ports for SSL (http -> https, ftp -> ftps, foo -> foos). while this was "simple", it creates its own set of problems. so that approach was replaced by providing security "inside" the protocol, instead of relying on an additional and independent layer. so the standard for smtp is to use the STARTTLS command. only use the old "smtps" as a compatibility mode (that you discourage as much as you can).
