On 17/05/21 10:37 pm, Jaroslaw Rafa wrote:
I would disagree that port 465 with TLS-wrapper around SMTP is better than port 587 with STARTTLS. It's only your personal opinion. Port 587 with mandatory STARTTLS is in no way less secure than TLS-wrapped port 465.
I used to make that argument (see below).
In fact, port 587 with STARTTLS is more standards-compliant than port 465, because the latter has never been published as official standard.
This is incorrect: https://datatracker.ietf.org/doc/html/rfc8314
My personal opinion would be completely contrary to yours: use port 587 with (mandatory) TLS whenever possible, only if the server does not offer it, but offers TLS-wrapped port 465, fall back to that instead.
A couple of years ago I would have said the same, but times have changed and standards have been updated, and with good reason.
Even with mandatory encryption enabled on the server side there is still an attack channel open for clients (and they do exist) that offer opportunistic encryption from the client side. A MITM can block the encrypted connection on the port, offer a plain text only connection and then in turn connect to the server with STARTTLS. This allows the MITM to bypass the encryption mandated by the server and still eavesdrop and even actively alter the content of the communication. This is why RFC8314 now recommends that plain text protocols such as submission on 587 be discouraged in favor of implicit TLS connections such as submissions (port 465). Hence my recommendation that submissions is preferred and submission with mandatory starttls is acceptable.
But all this discussion has nothing to the original question, as the OP explictly wanted to test sending mail via port 25.
Which in and of itself is wrong. Port 25 is not for the submission of mail since April 2006 when RFC 4409 officially split the functions of submission and relaying to separate ports.
Peter
