Port 465 was deprecated for email. Port 587 is the way to go.
The only email port I don't firewall on my server is 25. On the rest of the
email ports, I block all countries that I don't visit. In addition I use my 40k
worth of CIDRs that from hosting companies, VSPs, etc. that have hacked my web
server. I don't block ISPs, as much as Comcast deserves to be blocked.
Firewalls do chew up RAM, but they use very little CPU. I believe you have a
better server by blocking IP space that is just going to waste CPU cycles.
Original Message
From: rich...@damon-family.org
Sent: September 29, 2019 5:29 PM
To: postfix-users@postfix.org
Subject: Re: Prevent sender address spoofing
On 9/29/19 8:04 PM, Hugo Florentino wrote:
> El vie, 27-09-2019 a las 12:22 -0400, Viktor Dukhovni escribió:
>> [...]
>>
>> This makes no sense. Portable devices use ports 587 or 465 with all
>> the other providers. And there's no "change ports constantly", they
>> just use the same submission port.
>>
>> Remote MTAs connect to port 25, submission clients (MUAs) connect
>> to port 587.
>>
> Suppose ISP imposes restrictions so the only port open either for SMTP
> or submission must be TCP 25. What then?
>
>
If an ISP allows you to run a mail server but won't allow access to
587/465 then you need a new ISP with a clue.
Some ISPs will block OUTGOING port 25 to prevent you from being a
spammer, requiring you to use their SMTP server for outgoing SMTP
transport, but I haven't heard of one that blocks 587 or 465 unless they
don't allow you to run servers and just block most server ports.
--
Richard Damon
