On 26 Nov 2019, at 7:56, Wesley Peng wrote:
Hi
on 2019/11/26 20:53, Jaroslaw Rafa wrote:
Sending mail out of a MTA is always on port 25. STARTTLS is used if
possible.
If using plain port 25, the messages are not secure enough for
traffic.
A rationally configured mail server in 2019 supporting both initial
submission and inbound transport (i.e. "MX" duty) will provide:
Port 25 with optional STARTTLS and no authentication support, for
inbound mail.
Port 465 with implicit TLS and mandatory authentication, for initial
mail submission.
Port 587 with both STARTTLS and authentication mandatory, for initial
mail submission. (Optional)
The 2 submission ports both provide the variant of SMTP defined in
RFC6409. Users should be encouraged to use 465 preferentially to 587,
for the reasons explained in RFC8314.
Historically, there was a proposal 20+ years ago that port 465 should be
used for standard SMTP transport with implicit SSL (SMTPS, analogous to
HTTPS) but it was dropped without definition in any RFC and without any
workable model for how sending SMTP servers would know which port to use
for a particular domain. However, multiple MTAs and MUAs implemented
SMTPS without a formal specification. For most of the years since, port
465 use was discouraged, in large part because there was no formal
specification and some prominent implementations were simplistic SSL/TLS
wrappers of the server's port 25 service, unfit for submission service.
As a result, we are left with the misnomer "SMTPS" for port 465 traffic
and a universe of MUAs and users conditioned for years to use port 587,
who we now are telling to use port 465.
It should all get cleaned up properly just in time for the end of the
world (or at least the 32-bit Unix epoch...) in 2038
--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not For Hire (currently)
