| Linode Forum https://forum.linode.com/ |
|
| How important to uncomment "submission" and "smtps" lines in /etc/postfix/master.cf ? https://forum.linode.com/viewtopic.php?f=11&t=11861 |
Page 1 of 1 |
| Author: | dee4 [ Mon May 25, 2015 3:51 pm ] |
| Post subject: | How important to uncomment "submission" and "smtps" lines in /etc/postfix/master.cf ? |
The guide https://www.linode.com/docs/email/email ... -and-mysql says this: Quote: ...uncomment the two lines [of master.cf] starting with submission and smtps. I have ran a Postfix server for years without doing this. It seemed to be running fine. I didn't get any complaints from mail server checkers out there. But to be sure, I thought I'd ask: was not uncommenting these lines a bad idea? What could the consequences have been? |
|
| Author: | Vance [ Mon May 25, 2015 8:53 pm ] |
| Post subject: | Re: How important to uncomment "submission" and "smtps" lines in /etc/postfix/master.cf ? |
Uncommenting these "submission" line instructs Postfix to listen on port 587 for mail submission. If you don't have users submitting mail from outside the server, then this is not a problem. Uncommenting the "smtps" line tells Postfix to listen on port 465 for mail over TLS, but this is not generally used since STARTTLS is widely supported. Edited: last sentence was worded incorrectly and stated the opposite of what I meant. Should be clearer now. |
|
| Author: | dee4 [ Thu May 28, 2015 4:33 pm ] |
| Post subject: | Re: How important to uncomment "submission" and "smtps" lines in /etc/postfix/master.cf ? |
Vance wrote: Uncommenting these "submission" line instructs Postfix to listen on port 587 for mail submission. If you don't have users submitting mail from outside the server, then this is not a problem. Uncommenting the "smtps" line prevents Postfix from listening on port 465 for mail over TLS, but this is not generally used since STARTTLS is widely supported. As always, thanks for your replies. Not sure what I'd have done without you here over the years. Much appreciated. To make sure I'm understanding you right (I believe you may have written your words in a hurry so some of it sounded incorrect, but I could be mistaken):
Please correct me if I'm wrong. |
|
| Author: | dee4 [ Thu May 28, 2015 4:38 pm ] |
| Post subject: | Re: How important to uncomment "submission" and "smtps" lines in /etc/postfix/master.cf ? |
I also have other questions I'm struggling with:
https://stackoverflow.com/questions/15796530/what-is-the-difference-between-ports-465-and-587 don't explain everything to me. First of all, I am actually able to do [plain SMTP] + [STARTTLS] on all three ports using the tool https://github.com/drwetter/testssl.sh. So I don't see the real difference between these three ports yet. I "just don't get it", as they say. Furthermore: There are three things that my linode's Postfix does:
|
|
| Author: | Vance [ Fri May 29, 2015 2:30 am ] |
| Post subject: | Re: How important to uncomment "submission" and "smtps" lines in /etc/postfix/master.cf ? |
dee4 wrote:
This is correct. The "submission" and "smtps" are names that can be used in place of port numbers. If you look at /etc/services, you will see a whole long list of these names and the ports to which they correspond. Postfix, and many other programs (but not all) recognize the names in /etc/services. For example, telnet bar.example.net smtp would attempt to connect to port 25 on bar.example.net. dee4 wrote: Are you able to explain, the way you see it, the differences between ports 25, 587, and 465? Port 25 has been used for many, many years for exchanging mail. All connections are initially plaintext, but can be upgraded to an encrypted connection if both sides support STARTTLS. You can test this as follows, assuming your Internet provider does not block connections to port 25 (very many do): Code: $ telnet bar.example.net 25 In this test, the EHLO and QUIT lines are commands I typed. In response to the EHLO, the server responded that it supports STARTTLS. You'll also note that it supports AUTH, which means that one could authenticate with a username and password when sending a message. According to the Wikipedia entry, port 465 was at one time intended to be used for TLS-encrypted (only) connections to mail servers. Think of the relationship between 25 and 465 the same as ports 80 (used for plain http) and 443 (used for https). Apparently the need to dedicate a separate port to smtps was obsoleted by the development of STARTTLS, but some clients and servers still support using it. Port 587 is intended for mail submission. Distinct from relaying, where a mail server simply hands a message off to another that it thinks is an appropriate destination, some additional assumptions (delineated in RFC 6409) apply to submission. First, the server needs to authenticate the submitter by some method - this could be AUTH (mentioned above), by recognizing the IP address of the submitter, or something else entirely. The server also needs to verify that the message is well-formed and do some clean-ups if it isn't. While in theory port 25 can also be used for this, using a different port cleanly separates submission from relaying and avoids the problem of ISPs blocking access to port 25. |
|
| Author: | dee4 [ Fri May 29, 2015 3:06 pm ] |
| Post subject: | Re: How important to uncomment "submission" and "smtps" lines in /etc/postfix/master.cf ? |
Thanks, but to again make sure I'm getting this:
Is all of this correct, or are there still some holes in my understanding? |
|
| Author: | dee4 [ Fri May 29, 2015 3:28 pm ] |
| Post subject: | Re: How important to uncomment "submission" and "smtps" lines in /etc/postfix/master.cf ? |
And one other thing that confuses me is port 465. Configuring things using Linode's guide, port 465 doesn't end up like a real SSL end-point. It behaves just like SMTP + STARTTLS -- just like 25 and 587. This confuses me. On the other hand, there is a smtpd_tls_wrappermode that I can set to yes only for port 465 (smtps) within Postfix's master.cf file. Doing this seems to turn it into a genuine SSL endpoint. Do you recommend I do this? |
|
| Author: | Vance [ Sat May 30, 2015 9:33 pm ] |
| Post subject: | Re: How important to uncomment "submission" and "smtps" lines in /etc/postfix/master.cf ? |
dee4 wrote: Port 587 is only used by desktop email clients to send emails to my mail server (the desktop user's end being to send emails to others). Port 587 is never used for anything else. Correct. (Although it doesn't necessarily have to be a "desktop" client; for example, postfix is capable of acting as a client.) dee4 wrote: Port 25 can, like port 587, be used by a desktop email client to send emails to my mail server (the desktop user's end being to send emails to others). But port 25 is also used by a mail server to send emails to another mail server. Also correct. The normal configuration for postfix should only allow relaying from trusted machines (permit_mynetworks) or from clients that have authenticated with a username and password (permit_sasl_authenticated), no matter which port the mail comes in via. As I previously noted, many (most?) ISPs block outgoing connections to port 25, so if you have clients sending mail through your server you should definitely enable port 587. dee4 wrote: Finally, port 465 (although deprecated) is, like port 25, used by a mail server to send emails to another mail server. It is never used for anything else. Update: No, I believe I was wrong. Seems like 465 is also only for submission like 587. If I only use recent email clients, I should block this port entirely. I honestly don't know. You'd probably have to research this a bit to see whether it was intended for server-to-server connections. My opinion (which is largely uninformed) is that unless you specifically have clients which need port 465, don't bother with it. dee4 wrote: Configuring things using Linode's guide, port 465 doesn't end up like a real SSL end-point. It behaves just like SMTP + STARTTLS -- just like 25 and 587. This doesn't make sense to me. If you were going to just offer STARTTLS, then port 25 is just fine. The only logical reason to use a separate port is if it is TLS only. The postfix TLS README seems to back up this idea in its discussion of smtpd_tls_wrappermode. My sense is that there are not really clear standards around the use of port 465, so the "right" behavior revolves around what the clients in use expect. dee4 wrote: And finally, of course: Getting new emails by desktop email clients is done through IMAP/Dovecot on port 993 which has nothing to do with Postfix. Also correct. I can't really help much with Dovecot questions. :-) |
|
| Author: | tknarr [ Fri Jun 05, 2015 7:49 am ] |
| Post subject: | Re: How important to uncomment "submission" and "smtps" lines in /etc/postfix/master.cf ? |
dee4 wrote: And one other thing that confuses me is port 465. Configuring things using Linode's guide, port 465 doesn't end up like a real SSL end-point. It behaves just like SMTP + STARTTLS -- just like 25 and 587. The key is understanding that ports 25 (smtp) and 587 (submission) listen "in the clear" and use the STARTTLS command to turn on SSL encryption, while port 465 (smtps) listens using SSL from the start and so doesn't need STARTTLS. 465's been obsolete for it's original purpose (an alternative to port 25 for encrypted server-to-server transfer) for a long time, but it's been repurposed as an alternative to 587 for old mail clients that can use SSL but that don't support the STARTTLS command. Since all modern mail clients do STARTTLS just fine, 465 isn't normally needed and can be left disabled. If you hit old mail client software that just refuses to work with 587, turning on 465 and telling the client to use SSL and port 465 for outgoing SMTP is a last resort. If you follow the Linux guides and the default settings in master.cf, the ports are: 25 - listens in the clear, supports STARTTLS. Used for server-to-server mail transfer, doesn't support the authentication needed for mail clients to use it. 587 - listens in the clear, supports and requires STARTTLS, supports and requires authentication. Used for mail clients to submit outgoing mail. 465 - listens using SSL, always encrypted, supports and requires authentication. Used for mail clients to submit outgoing mail. Not needed unless you have to support very old mail client software. |
|
| Author: | diltonm [ Fri Jun 05, 2015 10:03 am ] |
| Post subject: | Re: How important to uncomment "submission" and "smtps" lines in /etc/postfix/master.cf ? |
tknarr wrote: dee4 wrote: 465 - listens using SSL, always encrypted, supports and requires authentication. Used for mail clients to submit outgoing mail. Not needed unless you have to support very old mail client software. I use Evolution and Android clients but as long as it's available I plan to continue to use 465. "listens using SSL, always encrypted, supports and requires authentication" sounds really good compared to "listens in the clear and ...". |
|
| Author: | sleddog [ Fri Jun 05, 2015 4:49 pm ] |
| Post subject: | Re: How important to uncomment "submission" and "smtps" lines in /etc/postfix/master.cf ? |
diltonm wrote: tknarr wrote: dee4 wrote: 465 - listens using SSL, always encrypted, supports and requires authentication. Used for mail clients to submit outgoing mail. Not needed unless you have to support very old mail client software. I use Evolution and Android clients but as long as it's available I plan to continue to use 465. "listens using SSL, always encrypted, supports and requires authentication" sounds really good compared to "listens in the clear and ...". I use port 587 with TLS/STARTLS required. Once given the mail server name, Android and iOS clients detect the port & encryption and work just fine. |
|
| Page 1 of 1 | All times are UTC-04:00 |
| Powered by phpBB® Forum Software © phpBB Group http://www.phpbb.com/ |
|