| Main Archive Page > Month Archives > postfix-users archives |
Re: which port to use for SSL/TLS?
From: Phil Howard <ttiphil_at_nospam>Date: Fri May 21 2010 - 19:26:33 GMT
To: postfix-users@postfix.org
On Fri, May 21, 2010 at 14:48, Matt Hayes <dominian@slackadelic.com> wrote:
> On 5/21/2010 2:33 PM, Phil Howard wrote:
> > I'm trying to find out what port is to be used with "always on" SSL/TLS
> > (e.g. no STARTTLS command needed, it just does SSL/TLS once the TCP
> > connection is made, which I understand smtpd_tls_wrappermode=yes will
> > do), and the RFCs are coming up empty. I thought it was 587. But
> > RFC4409 doesn't say if this is, or is not, SSL/TLS. Some mail clients
> > are using 465 by default, but that isn't even official for anything
> > email related. Anyone know where this port 465 came from? RFC4409
> > seems to just be about doing authentication to allow submission (e.g.
> > submission protocol, smtp with authentication added). We definitely
> > need to have a port running with "always on" SSL/TLS so certain access
> > rules can be enforced at firewalls (that I seriously doubt can be easily
> > made to verify that STARTTLS gets used). In theory, this would be the
> > same as if I used stunnel listening on (probably) 587 and reconnecting
> > back to [::1]:25 (aside from losing the ability to do any connection
> > peer IP address checks).
> >
>
>
> Well, you can put SSL/TLS on any port really. Submission being 587,
> pop3s being 995, smtps being 465.. which ports are you wanting SSL/TLS on?
>
I want it on a non-conflicting port, or at least one I know I won't ever use
(which is pretty much the null set).
According to *ftp://ftp.iana.org/assignments/port-numbers* port 465 is
assigned to something else:
# Theodore Ts'o <tytso*MIT.EDU>
urd 465/tcp URL Rendesvous Directory for SSM
igmpv3lite 465/udp IGMP over UDP for SSM
So that leaves me with:
# Jon Postel <postel*isi.edu>
24/tcp any private mail system
24/udp any private mail system
# Rick Adams <rick*UUNET.UU.NET>
smtp 25/tcp Simple Mail Transfer
smtp 25/udp Simple Mail Transfer
and:
submission 587/tcp Submission
submission 587/udp Submission
It does look like these:
# Vera Heinau <heinau*fu-berlin.de>
# Heiko Schlichting <heiko*fu-berlin.de>
telnets 992/tcp telnet protocol over TLS/SSL
telnets 992/udp telnet protocol over TLS/SSL
imaps 993/tcp imap4 protocol over TLS/SSL
imaps 993/udp imap4 protocol over TLS/SSL
ircs 994/tcp irc protocol over TLS/SSL
ircs 994/udp irc protocol over TLS/SSL
# Christopher Allen <ChristopherA*consensus.com>
pop3s 995/tcp pop3 protocol over TLS/SSL (was spop3)
pop3s 995/udp pop3 protocol over TLS/SSL (was spop3)
and a few others are clearly over TLS/SSL (and not just STARTTLS as an
option). Since port 25 must stay clear for acceptance of (insecure) mail
exchange, at least it could use STARTTLS (why not?). So I wasn't expecting
that submission (starting in the clear) would need a separate port (e.g. its
current standard of 587 ... and apparently not over TLS/SSL).
There seems to not be enough ports, if submission and/or STARTTLS are more
than just mere extensions to SMTP.
I guess I can use port 24?