21

I've setup postfix so that email clients use port 465 (smtps) for outbound mail. I'm not really understanding the difference between smtps (port 465) and submission (port 587)

What's the 'best practice' when configuring postfix for clients to securely send mail? Just use smtps? Or use both submission and smtps?

masegaloeh
  • 17,978
  • 9
  • 56
  • 104
Aditya K
  • 871
  • 3
  • 13
  • 24

3 Answers3

27

edit: This answer is based on RFC-6409 and is no longer correct, see the newer RFC-8314

Port 465 was used for SMTP connections secured by SSL. However, using that port for SMTP has been deprecated with the availability of STARTTLS: "Revoking the smtps TCP port" These days you should no longer use Port 465 for SMTPS. Instead, use Port 25 for receiving mails for your domain from other servers, or port 587 to receive e-mails from clients, which need to send mails through your server to other domains and thus other servers.

As an additional note, port 587 however is dedicated to mail submission - and mail submission is designed to alter the message and/or provide authentication:

  • offering and requiring authentication for clients which try to submit mails
  • providing security mechanisms to prevent submission of unsolicited bulk mail (spam) or infected mails (viruses, etc.)
  • modify the mail to the needs of an organisation (rewriting the from part, etc.)

Submission to port 587 is supposed to support STARTTLS, and thus can be encrypted. See also RFC#6409.

Roy
  • 4,256
  • 4
  • 35
  • 50
liquidat
  • 510
  • 4
  • 3
  • Thanks for you answer, I successfully setup submission with postfix and things are a lot clearer to me now. :-) – Aditya K Jun 18 '14 at 14:00
  • You're welcome =) – liquidat Jun 18 '14 at 15:22
  • 1
    Traffic on 465 port is completely encrypted. When you use starttls client can enter in secure transmission and quit from it sending data without encryption. http://serverfault.com/q/523804/201912 – QkiZ Feb 13 '16 at 08:00
  • 2
    This revokation of port 465 for smtps implicit TLS has been reversed. The official recommendation is to offer both 587/STARTTLS together with port 465/SMTPS with an eventual switchover to the latter. Whether this eventual switchover actually occurs or not is anyone's guess. But that is the official reccomendation. This answer should no longer be accepted as "correct" – Kurt Fitzner May 04 '21 at 14:05
13

TL;DR

The new recommendation is to support both submissions/smtps and submission with STARTTLS for the time being, phasing out the later once it's not used anymore. (The same recommendations also apply for POP3 vs POP3S and IMAP vs IMAPS.)

Details

The best practice has changed with RFC 8314 Section 3.3:

When a TCP connection is established for the "submissions" service (default port 465), a TLS handshake begins immediately. […]

The STARTTLS mechanism on port 587 is relatively widely deployed due to the situation with port 465 (discussed in Section 7.3). This differs from IMAP and POP services where Implicit TLS is more widely deployed on servers than STARTTLS. It is desirable to migrate core protocols used by MUA software to Implicit TLS over time, for consistency as well as for the additional reasons discussed in Appendix A. However, to maximize the use of encryption for submission, it is desirable to support both mechanisms for Message Submission over TLS for a transition period of several years. As a result, clients and servers SHOULD implement both STARTTLS on port 587 and Implicit TLS on port 465 for this transition period. Note that there is no significant difference between the security properties of STARTTLS on port 587 and Implicit TLS on port 465 if the implementations are correct and if both the client and the server are configured to require successful negotiation of TLS prior to Message Submission.

The cited Appendix A then elaborates on the decision to prefer implicit TLS for all of SMTP, POP3 and IMAP, because these main points

  1. We want to only have encrypted connections everywhere anyways, so there is no point in maintaining a backward-compatible version of all these protocols when, in practice that compatiblity isn't used
  2. There have been exploits of the STARTTLS negotiation phase because of identical issues in several implementations
ntninja
  • 231
  • 2
  • 3
0

As IETF RFC8314 Section 7.4 outlined, “Although STARTTLS on port 587 has been deployed, it has not replaced the deployed use of Implicit TLS submission on port 465.”

465/tcp (direct TLS) has strong Internet deployment of SMTP MTAs today due to 578/tcp (STARTTLS) being too easy to get man-in-the-middle by with.

John Greene
  • 799
  • 7
  • 28