which port to use for SSL/TLS?
in [Postfix]
|
From: Phil Howard on 21 May 2010 14:33 I'm trying to find out what port is to be used with "always on" SSL/TLS (e.g. no STARTTLS command needed, it just does SSL/TLS once the TCP connection is made, which I understand smtpd_tls_wrappermode=yes will do), and the RFCs are coming up empty. I thought it was 587. But RFC4409 doesn't say if this is, or is not, SSL/TLS. Some mail clients are using 465 by default, but that isn't even official for anything email related. Anyone know where this port 465 came from? RFC4409 seems to just be about doing authentication to allow submission (e.g. submission protocol, smtp with authentication added). We definitely need to have a port running with "always on" SSL/TLS so certain access rules can be enforced at firewalls (that I seriously doubt can be easily made to verify that STARTTLS gets used). In theory, this would be the same as if I used stunnel listening on (probably) 587 and reconnecting back to [::1]:25 (aside from losing the ability to do any connection peer IP address checks).
From: Matt Hayes on 21 May 2010 14:48 On 5/21/2010 2:33 PM, Phil Howard wrote: > I'm trying to find out what port is to be used with "always on" SSL/TLS > (e.g. no STARTTLS command needed, it just does SSL/TLS once the TCP > connection is made, which I understand smtpd_tls_wrappermode=yes will > do), and the RFCs are coming up empty. I thought it was 587. But > RFC4409 doesn't say if this is, or is not, SSL/TLS. Some mail clients > are using 465 by default, but that isn't even official for anything > email related. Anyone know where this port 465 came from? RFC4409 > seems to just be about doing authentication to allow submission (e.g. > submission protocol, smtp with authentication added). We definitely > need to have a port running with "always on" SSL/TLS so certain access > rules can be enforced at firewalls (that I seriously doubt can be easily > made to verify that STARTTLS gets used). In theory, this would be the > same as if I used stunnel listening on (probably) 587 and reconnecting > back to [::1]:25 (aside from losing the ability to do any connection > peer IP address checks). > Phil, Please respond here and not from your regular account.. I neglected to hit reply to list! Well, you can put SSL/TLS on any port really. Submission being 587, pop3s being 995, smtps being 465.. which ports are you wanting SSL/TLS on? -Matt
From: Phil Howard on 21 May 2010 15:26 On Fri, May 21, 2010 at 14:48, Matt Hayes <dominian(a)slackadelic.com> wrote: > On 5/21/2010 2:33 PM, Phil Howard wrote: > > I'm trying to find out what port is to be used with "always on" SSL/TLS > > (e.g. no STARTTLS command needed, it just does SSL/TLS once the TCP > > connection is made, which I understand smtpd_tls_wrappermode=yes will > > do), and the RFCs are coming up empty. I thought it was 587. But > > RFC4409 doesn't say if this is, or is not, SSL/TLS. Some mail clients > > are using 465 by default, but that isn't even official for anything > > email related. Anyone know where this port 465 came from? RFC4409 > > seems to just be about doing authentication to allow submission (e.g. > > submission protocol, smtp with authentication added). We definitely > > need to have a port running with "always on" SSL/TLS so certain access > > rules can be enforced at firewalls (that I seriously doubt can be easily > > made to verify that STARTTLS gets used). In theory, this would be the > > same as if I used stunnel listening on (probably) 587 and reconnecting > > back to [::1]:25 (aside from losing the ability to do any connection > > peer IP address checks). > > > > > Well, you can put SSL/TLS on any port really. Submission being 587, > pop3s being 995, smtps being 465.. which ports are you wanting SSL/TLS on? > I want it on a non-conflicting port, or at least one I know I won't ever use (which is pretty much the null set). According to *ftp://ftp.iana.org/assignments/port-numbers* port 465 is assigned to something else: # Theodore Ts'o <tytso*MIT.EDU> urd 465/tcp URL Rendesvous Directory for SSM igmpv3lite 465/udp IGMP over UDP for SSM So that leaves me with: # Jon Postel <postel*isi.edu> 24/tcp any private mail system 24/udp any private mail system # Rick Adams <rick*UUNET.UU.NET> smtp 25/tcp Simple Mail Transfer smtp 25/udp Simple Mail Transfer and: submission 587/tcp Submission submission 587/udp Submission It does look like these: # Vera Heinau <heinau*fu-berlin.de> # Heiko Schlichting <heiko*fu-berlin.de> telnets 992/tcp telnet protocol over TLS/SSL telnets 992/udp telnet protocol over TLS/SSL imaps 993/tcp imap4 protocol over TLS/SSL imaps 993/udp imap4 protocol over TLS/SSL ircs 994/tcp irc protocol over TLS/SSL ircs 994/udp irc protocol over TLS/SSL # Christopher Allen <ChristopherA*consensus.com> pop3s 995/tcp pop3 protocol over TLS/SSL (was spop3) pop3s 995/udp pop3 protocol over TLS/SSL (was spop3) and a few others are clearly over TLS/SSL (and not just STARTTLS as an option). Since port 25 must stay clear for acceptance of (insecure) mail exchange, at least it could use STARTTLS (why not?). So I wasn't expecting that submission (starting in the clear) would need a separate port (e.g. its current standard of 587 ... and apparently not over TLS/SSL). There seems to not be enough ports, if submission and/or STARTTLS are more than just mere extensions to SMTP. I guess I can use port 24?
From: John Peach on 21 May 2010 15:29 On Fri, 21 May 2010 15:26:33 -0400 Phil Howard <ttiphil(a)gmail.com> wrote: > On Fri, May 21, 2010 at 14:48, Matt Hayes <dominian(a)slackadelic.com> > wrote: > > > On 5/21/2010 2:33 PM, Phil Howard wrote: > > > I'm trying to find out what port is to be used with "always on" > > > SSL/TLS (e.g. no STARTTLS command needed, it just does SSL/TLS > > > once the TCP connection is made, which I understand > > > smtpd_tls_wrappermode=yes will do), and the RFCs are coming up > > > empty. I thought it was 587. But RFC4409 doesn't say if this > > > is, or is not, SSL/TLS. Some mail clients are using 465 by > > > default, but that isn't even official for anything email > > > related. Anyone know where this port 465 came from? RFC4409 > > > seems to just be about doing authentication to allow submission > > > (e.g. submission protocol, smtp with authentication added). We > > > definitely need to have a port running with "always on" SSL/TLS > > > so certain access rules can be enforced at firewalls (that I > > > seriously doubt can be easily made to verify that STARTTLS gets > > > used). In theory, this would be the same as if I used stunnel > > > listening on (probably) 587 and reconnecting back to [::1]:25 > > > (aside from losing the ability to do any connection peer IP > > > address checks). > > > > > > > > > Well, you can put SSL/TLS on any port really. Submission being 587, > > pop3s being 995, smtps being 465.. which ports are you wanting > > SSL/TLS on? > > > > I want it on a non-conflicting port, or at least one I know I won't > ever use (which is pretty much the null set). > > According to *ftp://ftp.iana.org/assignments/port-numbers* port 465 is > assigned to something else: > > # Theodore Ts'o <tytso*MIT.EDU> > urd 465/tcp URL Rendesvous Directory for SSM > igmpv3lite 465/udp IGMP over UDP for SSM > > So that leaves me with: > > # Jon Postel <postel*isi.edu> > 24/tcp any private mail system > 24/udp any private mail system > # Rick Adams <rick*UUNET.UU.NET> > smtp 25/tcp Simple Mail Transfer > smtp 25/udp Simple Mail Transfer > > and: > > submission 587/tcp Submission > submission 587/udp Submission > > It does look like these: > > # Vera Heinau <heinau*fu-berlin.de> > # Heiko Schlichting <heiko*fu-berlin.de> > telnets 992/tcp telnet protocol over TLS/SSL > telnets 992/udp telnet protocol over TLS/SSL > imaps 993/tcp imap4 protocol over TLS/SSL > imaps 993/udp imap4 protocol over TLS/SSL > ircs 994/tcp irc protocol over TLS/SSL > ircs 994/udp irc protocol over TLS/SSL > # Christopher Allen > <ChristopherA*consensus.com> pop3s 995/tcp pop3 protocol > over TLS/SSL (was spop3) pop3s 995/udp pop3 protocol > over TLS/SSL (was spop3) > > and a few others are clearly over TLS/SSL (and not just STARTTLS as an > option). Since port 25 must stay clear for acceptance of (insecure) > mail exchange, at least it could use STARTTLS (why not?). So I > wasn't expecting that submission (starting in the clear) would need a > separate port (e.g. its current standard of 587 ... and apparently > not over TLS/SSL). > > There seems to not be enough ports, if submission and/or STARTTLS are > more than just mere extensions to SMTP. > > I guess I can use port 24? 465 is for SMTP over SSL, which is deprecated. -- John
From: Phil Howard on 21 May 2010 15:35
On Fri, May 21, 2010 at 15:29, John Peach <postfix(a)johnpeach.com> wrote: > 465 is for SMTP over SSL, which is deprecated. > What is deprecated? Using port 465? Or doing SMTP over SSL? Unfortunately, I need to do the latter because of some network security and access issues (and for like reason am doing IMAP over SSL on port 993 and POP over SSL on port 995). I could go ahead and do SMTP over SSL on port 465. Are you sure it won't conflict with anything? I'm doing optional STARTTLS (e.g. smtpd_tls_security_level=may and smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination) on port 25. What should I be doing on port 587? |