0

Since port 25 is blocked on my VPS, I need to configure Postfix to send emails to other ports such as 587 or 465. But it seems most incoming SMTP servers on the Internet such as outlook or gmail do not open port 587 or 465. They just use port 25 to receive emails. Is this a common practice?

I do not mean to use another SMTP server to relay emails (as talked in this post.)

Another question is if all(or most) SMTP servers that open port 587 need authentication? Port 587 is called submission port so I think it asks you for account information. Is there any incoming SMTP server that uses port 587 to receive emails and does not need account authentication?

William
  • 99
  • 1
  • 2
  • 11

2 Answers2

5

Port 25 is the standard server-side email port. This includes server-to-server relaying, etc. It is the standard. You can set postfix to use a different port, but it's unlikely you'd be able to talk to anyone else.

Port 587 is typically what a mail client would use to send mail to a server. In this case, by client, I mean something like an iPhone, or mail app such as Thunderbird, Outlook, etc.

Since port 587 is generally client-centric, it is very common for it to require authentication. This also helps ensure mail servers only have to handle mail from authorized users.

mikem
  • 418
  • 2
  • 7
  • Is there any official document saying server-to-server communication must use port 25? – William Sep 09 '20 at 01:05
  • I'm sure there are probably early internet standards somewhere that say it, but that really isn't relevant at this point. Most mail servers can be set to run on any port -- sendmail, postfix, whatever. The point is, the accepted standard is port 25 for server-to-server mail traffic. So, you are free to run your sever on whatever port you want to, but your ability to communicate with other servers will be limited. – mikem Sep 09 '20 at 01:30
4

465/587 are client submission ports, they are usually protected with authentication and transport layer security. Email clients, i.e. MUAs, use port 587 and 465, while mail servers, i.e. MTAs, use port 25.

Opportunistic TLS (Wikipedia)

"At least for the email related protocols, RFC 8314 favors separate SSL ports instead of STARTTLS."

The confusion probably comes from how SMTP used to communicate in the past. All communications (client to server, server to server) were made using TCP port 25. Nowadays it is uncommon for email clients to use port 25 for sending emails; also, many ISPs block outgoing port 25 on their client border to limit spam.

Point is, if a MTA is configured to use a different port than 25 then also the remote end needs to be configured to use that different port for the communication to be successful.

To support end-to-end TLS between MTAs, protocol extensions have to be implemented by both ends. See Increase email security with MTA-STS and TLS reporting (Google) and Extended SMTP (Wikipedia)

SMTP alone does not provide security, and many SMTP servers don’t have added security to prevent malicious attacks.

Mike L'Angelo
  • 296
  • 1
  • 8
  • If MTAs only use port 25, does it mean the communication between MTAs are in plain text? I know they can use STARTTLS to encrypt messages, but in practice, how many MTAs use STARTTLS, or most of them just transport messages in plain text? – William Sep 09 '20 at 01:10
  • The use of TLS is not port-specific. Most mail servers will use TLS on the server port (25) and client ports (587). I think port 465 historically has been clear-text, but there's really technical reason a server listening on it couldn't be configured to use TLS on that port as well. Of course, using TLS is optional, so there are probably some out there not using it. – mikem Sep 09 '20 at 01:52
  • @William affirmative unless extension are used. STARTTLS is usually used for client communication, even though a separate port and listener are nowadays used for ease of management and efficiency. I have edited the answer to include this. – Mike L'Angelo Sep 10 '20 at 14:54
  • @mikem TLS usage follows best practices. References in the updated text. – Mike L'Angelo Sep 10 '20 at 14:57
  • Yes, this I know. But, it is still optional for those who like living on the edge! – mikem Sep 10 '20 at 15:57
  • :) I guess it is, coming from a postmaster background for a large organization, I am well aware the more standardization the better! – Mike L'Angelo Sep 10 '20 at 16:46