On Sun, Jun 26, 2022 at 03:52:56PM +0200, Mark Elkins via Exim-users wrote:
> > I am curious. Why do you not allow your users to user port 465 ? > > RFC 8314 https://datatracker.ietf.org/doc/html/rfc8314#section-7.3 > > repurposed this as a mail *submission* port with Implicit TLS. > > Reading RFC 8314 > https://datatracker.ietf.org/doc/html/rfc8314#section-7.3 - it seems > there is confusion over the use of this port. I've always assumed that > some MTA clients may use port 465 - rather than using port 25. No. * MTA-to-MTA SMTP relay is always over port 25. * Port 465 was always MUA-to-MTA submission. This is because MX records don't signal port numbers, only host names, so the port number MUST be a prior fixed value. This of course does not prevent "private" arrangements where some particular MTAs relay some mail via port 465 to some other *specific* MTAs under suitable conditions (particular envelope or content features). Such arrangements would always be local policy exceptions to how email is routed over the public Internet (as specified in RFC5321). > Port 587 has always been the mail submission port - friends confirmed > this to me. Friends make mistakes. The authoritative sources are: https://www.rfc-editor.org/rfc/rfc2476 https://www.rfc-editor.org/rfc/rfc4409 https://www.rfc-editor.org/rfc/rfc6409 https://www.rfc-editor.org/rfc/rfc5068 The use of 465 for submission over TLS was a non-standard Microsoft Exchange/Outlook feature for many years, only recently elevated to standard in https://www.rfc-editor.org/rfc/rfc8314 > Reading the above - looks like I'm wrong and should also (or rather) run > port 465 on my incoming (SMTP-Relay) mail servers. No. SMTP relay servers are MTA-to-MTA SMTP, and so unavoidable on port 25. Only submission is on ports 687 and 465. > I assume that just means enabling that port? Well, it has to be configured correctly, with TLS wrapping the use of the SMTP protocol, rather that the SMTP protocol facilitating TLS via STARTTLS. > Users should then set SSL/TLS encryption on port 465? (which means me > talking to all of them) Or just let them choose. Gradually, more of them will organically move to 465, and you (or who ever you saddle with the burden) can "talk" to the long-tail users in 10 years or so. > Would also love to know why then can we still run STARTTLS on port 587 > - if it is so insecure? It isn't. And the risks are not to SMTP servers and clients, but rather to web browsers and the like that can be convinced to misinterpret reflected text in error messages. The basic issue of injection of buffered pre-TLS cleartext into a post STARTTLS session was resolved in Postfix and IIRC also Exim quite some time ago. So there's little reason to avoid port 587 with these MTAs. Various other STARTTLS implementations (in IMAP servers, and less mainstream SMTP servers) might not have gotten the memo, but you should be fine. -- Viktor. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/