1

Our recent PCI scan failed because "Plaintext authentication is allowed over unencrypted channel on SMTP." As such, our tech support suggested to close port 587.

What are the effects of closing port 587, and will it negatively affect sending/receiving emails?

Arvy S.
  • 15
  • 5
  • 1
    Not a security question. Tell us what OS are you using and we'll be able to redirect your question. And have you googled this? – Neil Smithline Jun 13 '18 at 02:05
  • Repost of https://stackoverflow.com/questions/50808360/close-port-587-negative-effects – Neil Smithline Jun 13 '18 at 02:05
  • Nothing on Google. I was sent to ask this question on serverfault.com / security.stackexchange.com, so I did. – Arvy S. Jun 13 '18 at 03:37
  • 2
    @NeilSmithline respectfully disagree; this *is* a security question. 465 and 587 are alternate ports introduced to resolve security issues with SMTP on port 25, and which in turn introduced their own security nuances that must be understood to be navigated correctly. – gowenfawr Jun 13 '18 at 11:56
  • Well it is hard to disagree with you when you provide such a good answer, @gowenfawr. – Neil Smithline Jun 13 '18 at 15:54

2 Answers2

4

TL;DR: If your users are using 587 to submit email for relay, you need to secure it (by requiring STARTTLS before AUTH) or disable it in favor of an alternative like 465 (SMTPS). If none of your users is using 587, of course, you can disable it without concern, as all normal mail flows through port 25.

There are three commonly used ports for SMTP email - 25, 465, and 587.

25 is the standard SMTP port which is used by mail transfer agents everywhere. If that goes away, you will stop getting email from the rest of the world.

465 ("SMTPS" or "SSMTP", where the extra "S" stands for "Security") and 587 ("submission") are alternate ports which speak SMTP, designed for use by a more limited pool of your own trusted users. To quote RFC 4409:

This separation of function offers a number of benefits, including
the ability to apply specific security or policy requirements.

So, historically, these ports were use for things like allowing Mail User Agents to submit mail for relay, where the main SMTP port does not provide relay services. (In fact, 465 and 587 were introduced as a way of restoring functionality once "open relay" was closed off on port 25, which was itself a security measure.) Some other form of control (network ACLs or SMTP AUTH) are usually used with 465/587 to ensure only legitimate submissions are accepted for relay.

465 (SMTPS) is, like HTTPS, wrapped in SSL/TLS at the network layer. 587 does not require encryption per the RFC, but in common practice, nowadays many configurations will require STARTTLS (spinning up SSL/TLS during the SMTP transaction) before SMTP AUTH is even advertised. That specifically addresses the concern that your PCI scan is raising.

If your 587 (submission) port is like that, you may apply for an exception to the PCI scan. You can prove this by telnetting to port 587 and entering the command "EHLO hostname". If the response you get, like this one, includes STARTTLS but not AUTH, then you are not vulnerable to what the PCI scan thought you were:

EHLO hostname
250-submission.server Hello hostname [192.168.3.4], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE 16777216
250-DSN
250-STARTTLS
250-DELIVERBY
250 HELP

If it does offer AUTH while unencrypted, you will need to either require STARTTLS before AUTH or disable 587 and use something like 465 over SSL/TLS instead.

If you don't have Mail User Agents which belong to your domain submitting mail over the network for relay, you don't need 587 or 465 in any case.

Community
  • 1
gowenfawr
  • 71,975
  • 17
  • 161
  • 198
  • Thanks! However, how would I apply for an exception to the PCI scan? Do I just ask them to telnet port 587 and then send them this information that you shared? – Arvy S. Jun 14 '18 at 03:26
  • @ArvyS. if the PCI scan is through an ASV like Qualys, their web site has an interface for submitting exceptions (In Qualys' case, they actually call them "False Positives"; your ASV may vary). If you find that type of interface with your ASV, paste your version of the EHLO output above and point out that AUTH is not advertised when STARTTLS has not yet been initiated, and that therefore credentials can't be sent over the network until encryption is in place. – gowenfawr Jun 14 '18 at 03:43
0

587 is used to send e-mails in a secure manner (unlike 25).

If you close that port, there is a high probability that none of your e-mail accounts will be able to send e-mails anymore.

If anything, one should close port 25 and use 587 in both server and client configurations.

Overmind
  • 8,779
  • 3
  • 19
  • 28