On Sun 14/Aug/2016 13:10:22 +0200 Mark Constable wrote:
> Because of arguments like this, and that I do not even want to offer
> non-SSL options, I routinely disable ports 143 and 587 and only use
> ports 993 and 465 for authenticated user mail...
> 
> https://www.agwa.name/blog/post/starttls_considered_harmful

The only serious reason against starttls is that an active attacker can
strip out the server's starttls advertisement, which was actually reported.

However, 465 is not a replacement to 587.  Please check out WP table:
https://en.wikipedia.org/wiki/Email_client#Port_numbers

A port 465 server is not obliged to ask for authentication AFAIK, so it
is safer for a gateway admin in a hotel or campus to block outgoing 465
connections just like 25.  Some thick ISPs block also port 587, even if
RFC 5068 clearly says:

    Access Providers MUST NOT block users from accessing
    the external Internet using the SUBMISSION port 587.
         https://tools.ietf.org/html/rfc5068#section-4.1

IOW, opening 587 may increase your server's availability.  There are
other ways to force clients to use startls, discussed earlier on this list.

In addition, 587 is where you can enforce submission policies.

Ale
-- 



------------------------------------------------------------------------------
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are 
consuming the most bandwidth. Provides multi-vendor support for NetFlow, 
J-Flow, sFlow and other flows. Make informed decisions using capacity 
planning reports. http://sdm.link/zohodev2dev
_______________________________________________
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

Reply via email to