> Matus UHLAR - fantomas wrote: > >> On Mon, 4 May 2009, LuKreme wrote: > >>> This is what port 587 is *for*. This is what SASL authentication is *for*. > > > > On 05.05.09 09:25, Charles Gregory wrote: > >> Hmmmm. Quick (dumb) question. If I tell my users to click the little > >> check box in a mail client (Outlook Express or Thunderbird) that says > >> "use SMTP authentication", does it automatically switch to port 587, or > >> do I need to tell my users how/where to change the port number? > > > > you need the latter. > > Outlook users may want to use port 465 with non-negotiated SSL.
On 05.05.09 10:45, Adam Katz wrote: > Funny thing about that; 465 is a non-standard SSL-requiring port for > SMTP, chosen by Microsoft. Despite that, Micorosft Outlook (2003+ at > least) does *not* change the port from 25 when you specify SSL while > Mozilla Thunderbird will change it to 465. No configuration on either > will use 587. That's because M$ Outlook supports negotiating TLS only on port 25. On any other port it only supports SSL (non-negotiated) or plaintect. That's why I recommend (and we do) support port 465. (I don't remember which outlook version I've been testing, but I remember the result). I don't have ay informations that it's microsoft who selected 465 for smtps, but that's not issue since it looks being widely accepted... > The official recommendation is to require port 587 and require > authentication over TLS, but until programs default to using it in > some capacity, it just seems like a bad idea: > > Users are not smart. Give them the simplest options. > > Use different servers for MX vs outbound SMTP, and for the latter, > implement all three ports (25 and 587 requiring STARTTLS and > authentication, 465 being SSL-wrapped and requiring authentication). We do that. However, we plan to migrate all users to 587/465 to prevent from problems if anyone would block 25 (and so we could do that if anything happens, some users don't need/have to delive mail directly) > If you open SMTP like that, you should probably also have something > connected to your firewall (e.g. fail2ban for Linux) that will drop > all connections to mail relays that stubbornly try to connect, or at > least have the SMTP server configured to do something similar. I haven't noticed any such problem. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. 42.7 percent of all statistics are made up on the spot.
