Postfix smtps and submission confusion

Solution 1:

Port 465 was used for SMTP connections secured by SSL. However, using that port for SMTP has been deprecated with the availability of STARTTLS: "Revoking the smtps TCP port" These days you should no longer use Port 465 for SMTPS. Instead, use Port 25 for receiving mails for your domain from other servers, or port 587 to receive e-mails from clients, which need to send mails through your server to other domains and thus other servers.

As an additional note, port 587 however is dedicated to mail submission - and mail submission is designed to alter the message and/or provide authentication:

  • offering and requiring authentication for clients which try to submit mails
  • providing security mechanisms to prevent submission of unsolicited bulk mail (spam) or infected mails (viruses, etc.)
  • modify the mail to the needs of an organisation (rewriting the from part, etc.)

Submission to port 587 is supposed to support STARTTLS, and thus can be encrypted. See also RFC#6409.

Solution 2:

TL;DR

The new recommendation is to support both submissions/smtps and submission with STARTTLS for the time being, phasing out the later once it's not used anymore. (The same recommendations also apply for POP3 vs POP3S and IMAP vs IMAPS.)

Details

The best practice has changed with RFC 8314 Section 3.3:

When a TCP connection is established for the "submissions" service (default port 465), a TLS handshake begins immediately. […]

The STARTTLS mechanism on port 587 is relatively widely deployed due to the situation with port 465 (discussed in Section 7.3). This differs from IMAP and POP services where Implicit TLS is more widely deployed on servers than STARTTLS. It is desirable to migrate core protocols used by MUA software to Implicit TLS over time, for consistency as well as for the additional reasons discussed in Appendix A. However, to maximize the use of encryption for submission, it is desirable to support both mechanisms for Message Submission over TLS for a transition period of several years. As a result, clients and servers SHOULD implement both STARTTLS on port 587 and Implicit TLS on port 465 for this transition period. Note that there is no significant difference between the security properties of STARTTLS on port 587 and Implicit TLS on port 465 if the implementations are correct and if both the client and the server are configured to require successful negotiation of TLS prior to Message Submission.

The cited Appendix A then elaborates on the decision to prefer implicit TLS for all of SMTP, POP3 and IMAP, because these main points

  1. We want to only have encrypted connections everywhere anyways, so there is no point in maintaining a backward-compatible version of all these protocols when, in practice that compatiblity isn't used
  2. There have been exploits of the STARTTLS negotiation phase because of identical issues in several implementations

Tags:

Postfix

Smtps