Matus UHLAR - fantomas wrote: >> On Mon, 4 May 2009, LuKreme wrote: >>> This is what port 587 is *for*. This is what SASL authentication is *for*. > > On 05.05.09 09:25, Charles Gregory wrote: >> Hmmmm. Quick (dumb) question. If I tell my users to click the little >> check box in a mail client (Outlook Express or Thunderbird) that says >> "use SMTP authentication", does it automatically switch to port 587, or >> do I need to tell my users how/where to change the port number? > > you need the latter. > Outlook users may want to use port 465 with non-negotiated SSL.
Funny thing about that; 465 is a non-standard SSL-requiring port for SMTP, chosen by Microsoft. Despite that, Micorosft Outlook (2003+ at least) does *not* change the port from 25 when you specify SSL while Mozilla Thunderbird will change it to 465. No configuration on either will use 587. The official recommendation is to require port 587 and require authentication over TLS, but until programs default to using it in some capacity, it just seems like a bad idea: Users are not smart. Give them the simplest options. Use different servers for MX vs outbound SMTP, and for the latter, implement all three ports (25 and 587 requiring STARTTLS and authentication, 465 being SSL-wrapped and requiring authentication). In postfix's master.cf, this would be (at the least): smtp inet n - - - - smtpd -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject submission inet n - - - - smtpd -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject smtps inet n - - - - smtpd -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject For non-Debian/non-FreeBSD systems, it may also require changing /etc/services so that the only "465/tcp" line it contains is: ssmtp 465/tcp smtps # SMTP over SSL If you open SMTP like that, you should probably also have something connected to your firewall (e.g. fail2ban for Linux) that will drop all connections to mail relays that stubbornly try to connect, or at least have the SMTP server configured to do something similar.
