On 4/5/2015 12:42 PM, Muhammad Yousuf Khan wrote: > Thanks Chirs, > > Please correct me if i am wrong. just sharing this if my concept is > correct. > > port 25 is to send email b/w mailservers.
Yes, port 25 is required for MTA to MTA mail transfer. Opportunistic STARTTLS should be enabled, but must not be required since not all clients wishing to transfer mail will support encryption. Internet mail servers cannot transfer mail over alternate ports without prior mutual arrangement. > if my client(e.g. outlook) > wants to send email it must use port 465 and 587 for security. This is really more of a /should/ than a /must/, and subject to local policy decisions. For new installations, it is strongly recommended to require your customers to use port 587 (or 465) and to disable AUTH on port 25. Some sites allow authorized clients to use SASL AUTH on port 25, but that's to avoid inconveniencing long-time customers. It makes for cleaner administration to separate general incoming mail and customer mail. > > port 465 is for SSL Wraped SMTP port but can also be used with TLS > however some clients does not support this method. thus may fail 465 > with TLS setup. I don't know of any clients that support encryption that cannot use port 465. Note that many desktop mail clients refer to TLS-wrapped sessions on port 465 as "SSL" even though the protocol is really TLS, ie. the user must set the client for "SSL" encryption. Many sites enable port 465 as a convenience to their customers since it doesn't cost anything nor significantly affect security. Other refuse to enable port 465 for philosophical reasons. > Since 587 port is the new standard and client are well aware of > 587+TLS. therefore the good route to go is 586 with TLS. Yes, you should enable port 587 with STARTTLS and require all your clients to use it, at least in your published documents. You may consider also enabling port 465 wrappermode, but no need to publish that information. -- Noel Jones
