RFC6409 specifies port 587 as reserved, but allow port 25 to be used also: https://tools.ietf.org/html/rfc6409#section-3 " Port 587 is reserved for email message submission as specified in this document. Messages received on this port are defined to be submissions. The protocol used is ESMTP [SMTP-MTA], with additional restrictions or allowances as specified here.
Although most email clients and servers can be configured to use port 587 instead of 25, there are cases where this is not possible or convenient. A site MAY choose to use port 25 for message submission by designating some hosts to be MSAs and others to be MTAs. " So I would not qualify it as a bad/weird practice to use port 25 for sending mail, but as stated, then there should be reserved hosts for MTA and others for MSA (thus the problem of mixing configurations of TLS disappears). My references on allowed output ports might be too limited and it is true that for output TCP/25 port, in France, we have some FAI blocking it for botnets/SPAM fighting purposes. I tried to search for surveys on most common output open ports, but didn't find any good references. In case anybody know/have some doc on this topic? Anyway, I will switch to port 587 to follow best practices. Thanks again for your time and clarifications! PS: I will discuss with OpenVAS team, so maybe they could decrease the security warning level of their TLS/SSL deprecated ciphers scan when it is linked to an SMTP/25 port? Le Fri, 14 Oct 2016 13:49:34 +0200, Gunnar Haslinger <gh.bettercry...@hitco.at> a écrit : > Full-Quote of Guillaume's mail see below (mail was sent directly and > didn't go to the list). > > My Opinion about this: Yes, you have to use dedicated > submission-ports, that's how it is defined to work. Misusing port 25 > is a wideseen configuration, but that's not how it was designed in > the RFC's. You say popular IT-Networks don't allow outgoing > connections to the dedicated submission-ports but allow outgoing > connections to port 25? That's weird. My personal experience when > traveling and using Public/Hotel/Airport/University/Company-WLANs is, > that port 25 is almost everywhere blocked (to prevent outgoing spam > from these LANs) but using submission-ports usually works fine. > > If you really have this problem feel free to configure your personal > client to use Port 25 or host an additional submission port on 443 to > go through these firewalls. > > Am 2016-10-14 13:34, schrieb Guillaume REMBERT: > > > OK. I got it! This is driven by the master.cf config with -o > > smtpd_tls_security_level=encrypt. > > > > Thanks a lot for your feedbacks and for correcting me. > > > > One last question/remark to fully understand this topic and config. > > > > TLS is under the application layer SMTP. In my original setup, > > port 25 is used for both reception of Mail (MTA) and submission > > (MSA). How can be done the differenciation between a reception > > connexion and a submission connexion? It is not possible as TLS is > > done before any application exchange. So I need also to open a > > dedicated port reserved for submission as recommended in the doc - > > TCP/587? > > > > One problem that I see there is that most IT networks don't allow > > output traffic to port 587, thus it is not possible to directly send > > mail in most foreign corporate networks - example here-after of an > > access provided by a big european organisation: > > - HTTP TCP / 80 > > - HTTPS TCP / 443 > > - SMTP* TCP / 25 > > - POP3 TCP / 110 > > - POP3s TCP / 995 > > - IMAP TCP / 143 > > - IMAPs TCP / 993 > > - IPSEC UDP / 500 > > - IPSEC UDP / 4500 > > - OpenVPN UDP / 1194 > > > > In that case I would have to establish a VPN in order to send my > > mail. > > > > What would be your position related to this strong limitation? _______________________________________________ Ach mailing list Ach@lists.cert.at http://lists.cert.at/cgi-bin/mailman/listinfo/ach