0

I have been reading the SMTP spec and other related RFCs (mainly 8314 & 6409) and can not wrap my head around it so I hope you guys can help me out.

I'm trying to setup an SMTP server for testing delivery of transactional messages and it is working as expected on submission, that is, if we point our mail sender to it, it will successfully ask for authentication, get the message and store it. All of this through port 587 using TLS.

Now I want to add a catch-all mechanism so that all email delivered to *@mydomain.com is stored on the same database, so I started to do some research. What I found is that once you send an email via SMTP it gets delivered by the MTA using SMTP too, in what the spec calls 'message relay'.

As I understand it, you need to listen in both ports, 587 for 'message submission' (with auth, checking that the sender is on your server) and port 25 for 'message relay' (without auth, checking that the recipient is on your server). Due to limitations on the underlying server framework there will be no STARTTLS support, only Implicit TLS, so no port 465.

So, the question is ¿am I understanding it right, in that there should be two listening ports with a different purpose?

And a bonus one: ¿how do a server negotiate auth when the ports are interchangeable (for example on CPanel you can use 465 or 25 for submission, the only difference is TLS support on each port; but also they receive incoming mail through port 25)?

It is important to note that the server's purpose is not to send any messages, but only to receive them from either webapps (for example to test if its password reset mailing works) or from other mail servers/MTAs (like Mailinator does, with a wildcard MX record, to test for incoming messages/replies).

Thanks in advance!

Improve this question
4
  • But... 465 is the implicit TLS port. If there's no STARTTLS then surely you meant "no port 587"? (Which also implies no TLS on port 25, either.)
    – grawity_u1686
    Commented May 7 at 5:47
  • (Also, what's exactly the issue that prevents STARTTLS negotiation? In most TLS libraries that's just an extra function call...)
    – grawity_u1686
    Commented May 7 at 5:49
  • Hi @u1686_grawity, we're using ReactPHP's Socket which currently doesn't support STARTTLS and you are correct, I got the ports wrong: 465 is for Implicit TLS and 587 has the STARTTLS mechanism per the spec.
    – biohzrdmx
    Commented May 7 at 19:12
  • That's surprising, given that the built-in PHP sockets and streams both have STARTTLS support... In that case, I suppose it's fine if you use exclusively the "implicit TLS" 465 for message submission (it's not an uncommon practice), but you should have a separate STARTTLS-capable frontend such as Postfix or OpenSMTPD for handling port 25 so that inbound mail could be secured.
    – grawity_u1686
    Commented May 8 at 4:24

1 Answer 1

Reset to default
1

SMTP on port 25 has always been the MTA-to-MTA connection. It was originally pretty open so that your organization could receive email from any other organization without having to arrange authentication ahead of time.

In the early days of MUAs on PCs, they'd also send it via SMTP to port 25 of their org's MTA, but this led to a problem of "open relays" that spammers could abuse. So port 587 was defined as the new port for MUAs to use when submitting email to their org's MTA, so that port 587 could require authentication to keep spammers out. And, as you noted, anything coming in to port 25 had to be for a valid local user or it would be rejected, again to avoid abuse.

So, in general, if you need your MTA to receive mail from other MTAs, you need port 25 open, and if you need your mail server to receive mail from MUAs running on other hosts, you need port 587 open (with authentication required).

Improve this answer
2
  • They recently re-defined port 465 to be used for message submission as well, as the implicit-TLS version of 587. (after a series of screwups where it was un-assigned, then assigned to a different protocol, and then finally returned to SMTP as a dual assignment)
    – grawity_u1686
    Commented May 7 at 5:48
  • Thanks @Spiff, so it seems we must implement both server modes: Submission with authentication/validation of the sender and Relay with only validation of the recipient and have each one listen on its respective port. I'll mark the question as answered.
    – biohzrdmx
    Commented May 7 at 19:20

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .