I'm setting up a barebones Postfix mail server and have this observation:
- TLS works on port 465
- STARTTLS works on port 587
- TLS does NOT work on port 587
- STARTTLS does NOT work on port 465
Is this normal SMTP behavior or is it specific to Postfix? I was reading that using port 465 was discouraged and not RFC compliant.
https://www.mailgun.com/blog/which-smtp-port-understanding-ports-25-465-587
Is it then not possible to be RFC compliant on port 587, AND use TLS instead of STARTTLS?
Best Answer
This is normal behavior.
Port 25 (smtp) and port 587 (submission) are reserved for SMTP with explicit TLS, i.e. plain connect and upgrade to TLS with the STARTTLS command. Port 465 (smtps) is reserved for SMTP with implicit TLS, i.e. TLS right after the TCP connect without any special SMTP command.
Port 25 is always used for MTA to MTA communication, i.e. for the delivery of a mail from one mail server to the next. This is because the server is found using a DNS MX lookup and there is no support for specifying a port using MX records.
Port 465 and 587 are used by mail clients to submit a mail to the mail server for delivery (in some setups they might also use port 25). These ports usually require also authentication of the client.
Explicit TLS is defined in RFC 3207. Implicit TLS was defined in RFC 8314 in 2018, which was only after the article you refer to was published.