On 15 Jun 2015, at 18:44, Mike McKoy wrote:
I believe what Larry said is correct. I would use a port forward rule
to
forward mail from other MTA's to port 587. You can do this easy with
Iptables. Plenty of examples are on the net.
[...]
i'm i'm wrong someone correct me.
You're wrong.
Port 587 is for submission of mail by your own known users. It should
require TLS encryption and SMTP AUTH as MANDATORY for accepting ANY
email. The exceptions should only be for mail submissions using
alternative forms of authentication enforced by the MSA over channels
with low potential for snooping.
Port 25 is for transport of email from anyone anywhere for your users.
By definition that may include mail from systems that have no possible
mechanism for authentication with the receiving server. Due to
carelessness and acts of poor judgment (e.g. using Cisco firewalls in
default modes, overly restricting TLS details, using antique software,
etc.) many sites cannot use TLS for email transport.
Port 25 SMTP and port 587 mail submission are defined as 2 different
protocols because they must be. This isn't accidental, it was a very
conscious and long-resisted split to specify submission as a distinct
thing. Anyone port-mapping them to a single service should be handed an
apron & fryer basket and taught to upsell big drink meal combos, as this
would be a sign of actively rejecting critical facts of email
administration.
--
Mike McKoy
*404.590.7176*
http://MyForeverHair.com
http://www.MyModelTalk.com
http://InCrowdUSA.net
http://www.google.com/profiles/mikemckoy
On Mon, Jun 15, 2015 at 1:03 PM, Larry Stone
<lston...@stonejongleux.com>
wrote:
On Mon, 15 Jun 2015, L. D. James wrote:
You don't need to open port 25. Port 25 is for sending, not
receiving
mail. Many administrators consider Port 25 a security risk and block
it to
prevent having their system exploited.
You can use port 587 for sending rather than Port 25. Some
administrators open port 25 so that their clients can use it for
sending
email (not receiving). You wouldn't have to do this (have port 25
opened)
if you tell the people who have accounts on your server and will be
using
your server for sending email.
This is wrong, wrong, wrong and should be ignored.
But first off, terminology. For one system to be sending, another has
to
be receiving. Port 25 is used by an MTA to receive mail from another
MTA.
It can also be used by an MTA to receive mail from an MUA (Mail User
Agent
- a user mail program such as Outlook) although that is not "best
practice"
these days. 587 (aka the submission port) is the preferred port for
an MTA
to receive mail from an MUA.
Turn off port 25 and you cannot receive mail from another MTA as port
25
is the port MTAs use by default to send to another MTA.
Note that these port numbers (25 and 587) are what the receiving
server
has open for receiving. The sending MTA or MUA sends from a random
port.
There is no need to define the port being used on the sender
(client). Only
the port that a server listens on needs to be defined as it needs to
be
"well-known". But also note that the term "server" when discussing a
mail
server can be misleading as a mail server also acts as a client when
sending to other mail servers. In the mail world (as well as most of
the
Internet), clients initiate connections from a random port on the
client to
a "well-known" and defined port on the server.
So in short:
MTA (acting as client) to another MTA (acting as server) connects
from a
random port on the client MTA to port 25 on the server MTA.
MUA (always acting as clinet) to MTA (acting on server) connects from
a
random port on the MUA to port 587 (preferred) or port 25 (if
permitted) on
the server MTA.
Use of port 465 was deliberately not included in the above as it does
not
seem to be part of the OPs issue.
-- Larry Stone
lston...@stonejongleux.com