On Sun 14/Aug/2016 13:10:22 +0200 Mark Constable wrote: > Because of arguments like this, and that I do not even want to offer > non-SSL options, I routinely disable ports 143 and 587 and only use > ports 993 and 465 for authenticated user mail... > > https://www.agwa.name/blog/post/starttls_considered_harmful
The only serious reason against starttls is that an active attacker can strip out the server's starttls advertisement, which was actually reported. However, 465 is not a replacement to 587. Please check out WP table: https://en.wikipedia.org/wiki/Email_client#Port_numbers A port 465 server is not obliged to ask for authentication AFAIK, so it is safer for a gateway admin in a hotel or campus to block outgoing 465 connections just like 25. Some thick ISPs block also port 587, even if RFC 5068 clearly says: Access Providers MUST NOT block users from accessing the external Internet using the SUBMISSION port 587. https://tools.ietf.org/html/rfc5068#section-4.1 IOW, opening 587 may increase your server's availability. There are other ways to force clients to use startls, discussed earlier on this list. In addition, 587 is where you can enforce submission policies. Ale -- ------------------------------------------------------------------------------ What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic patterns at an interface-level. Reveals which users, apps, and protocols are consuming the most bandwidth. Provides multi-vendor support for NetFlow, J-Flow, sFlow and other flows. Make informed decisions using capacity planning reports. http://sdm.link/zohodev2dev _______________________________________________ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
