Closed MaximilianKohler closed 11 months ago
knadh
commented
11 months ago I'd have picked it up from the documentation. 465 works, right?
To set up a TLS Wrapper connection, the SMTP client connects to the Amazon SES SMTP endpoint on port 465 or 2465. The server presents its certificate, the client issues an EHLO command, and the SMTP session proceeds normally.
MaximilianKohler
commented
11 months ago Yes, 465 works and I was using it the whole time because it was default. But as I noted, 587 STARTTLS seems to be the recommended option, and per that link, is also supported by SES.
I've been using STARTTLS and port 587 now and it seems to be fine. It sounds like we should change that to be the default since there's not an important reason to default to TLS 465.
knadh
commented
11 months ago There's no need to change this. The docs don't recommend one scheme over the other. Port 465 is typically used for SSL/TLS (or "SMTPS") and 587 is STARTTLS.
MaximilianKohler
commented
11 months ago The docs don't recommend one scheme over the other
I'm talking about what it defaults to when you click Amazon SES in the /admin/settings -> SMTP. Postmark already defaults to STARTTLS and port 587. SES should too (and probably some of the others). I can try to do a PR?
MaximilianKohler
commented
10 months ago I was considering a PR for this https://github.com/knadh/listmonk/edit/master/frontend/src/views/settings/smtp.vue, but after looking into it more I found some conflicting information:
STARTTLS vs SSL vs TLS (2019) https://mailtrap.io/blog/starttls-ssl-tls/
Implicit SSL/TLS (forcing an encrypted connection rather than trying to upgrade it with STARTTLS)
In 2018, the Internet Engineering Task Force (IETF) recommended that using Implicit TLS via port 465 is the way to go.
Then they say this, which seems conflicting:
At Mailtrap, with our end-to-end email sending solution Email API, we support ports 587, 2525, and 25. But, as it’s the standard secure SMTP port, we advise users to go with 587.
STARTTLS is not a protocol but an email protocol command. It’s used to tell an email server that an email client (such as Gmail, Outlook, etc.) wants to upgrade an existing insecure connection to an encrypted one using SSL or TLS.
However, if a server doesn’t support encryption or is malicious, running this command can result in clients establishing an insecure connection, opening the door for the silent transmission of unencrypted, potentially sensitive personal data.
STARTTLS, except for SMTP, is also used with IMAP protocol, traditionally used for retrieving emails from an email server. POP3, another protocol for receiving emails, uses a similar command called STLS.
Note: As STARTTLS doesn’t guarantee a secure connection, users should be discouraged from using it or use other measures in conjunction with STARTTLS, such as using strong authentication methods, encrypting the email content with end-to-end encryption (e.g., using PGP or S/MIME), and verifying the digital signatures of email messages.
SendGrid accepts unencrypted and TLS connections on ports 25, 587, & 2525. You can also connect via SSL on port 465. We recommend using port 587 to avoid any rate limiting that your server host may apply. https://docs.sendgrid.com/for-developers/sending-email/getting-started-smtp
Twilio SendGrid supports TLS v1.2 and higher. Unencrypted and TLS connections are accepted on ports 25, 587, and 2525. Or, you can connect through SSL on port 465.
Their "enforced TLS" doesn't seem to reference 587 or STARTTLS https://docs.sendgrid.com/api-reference/settings-enforced-tls/update-enforced-tls-settings
https://www.mailgun.com/blog/email/which-smtp-port-understanding-ports-25-465-587/
Port 465: The TLS port. Use if your application or company require. Port 465 is a port that carries out message submission over Implicit TLS protocol.
Port 587: The default port. Use for your business or for secure connections. Port 587 is the default SMTP port, most businesses use this port.
The screenshot recommends 25 or 587 but says possible 465 at the bottom.
IANA initially assigned port 465 for an encrypted version of SMTP, called SMTPS. By the end of 1998, IANA had reassigned this port number to a new service. But still many services continue to offer the deprecated SMTPS interface on port 465. We are one of these services. https://www.mailjet.com/blog/email-best-practices/which-smtp-port-mailjet/#subchapter-3
This is the best way to use a more secure SMTP connection. Port 465 is the only one with which we are accepting SSL encryption.
The least clear with the most conflicting info.
https://support.google.com/mail/answer/7104828?hl=en&visit_id=638407822858081168-1337858465&rd=3
Outgoing Mail (SMTP) Server
smtp.gmail.com
Requires SSL: Yes
Requires TLS: Yes (if available)
Requires Authentication: Yes
Port for TLS/STARTTLS: 587
https://support.google.com/a/answer/176600?hl=en
For SSL, enter 465. For TLS, enter 587.
https://support.google.com/a/answer/100181?sjid=8324874897989786856-NC
Transport Layer Security (TLS) is a standard internet protocol that encrypts email for privacy and secure delivery. TLS prevents unauthorized access of email when it's in transit over internet connections. Google Workspace previously encrypted email with Secure Sockets Layer (SSL), but now uses TLS for encryption.
TLS and SSL are often both referred to as SSL. TLS is an updated, more secure version of SSL. Settings in your Google Admin console that mention SSL now use TLS.
https://developers.google.com/gmail/imap/imap-smtp
The outgoing SMTP server, smtp.gmail.com, supports TLS. If your client begins with plain text, before issuing the STARTTLS command, use port 465 (for SSL), or port 587 (for TLS).
Seems to agree that 465 TLS is more secure https://docs.aws.amazon.com/ses/latest/dg/smtp-connect.html
EDIT: found this https://netcorecloud.com/blog/25-465-587-2525-choose-the-right-smtp-port/ which says to not use 465, use 587.
https://www.cloudflare.com/learning/email-security/smtp-port-25-587/ says 587 should be used if possible.
SES seems to support both https://docs.aws.amazon.com/ses/latest/dg/smtp-connect.html. I tested it with STARTTLS and port 587 and it worked.
By default, my server host (Hetzner) blocks 465 but allows 587 https://docs.hetzner.com/cloud/servers/faq/#why-can-i-not-send-any-mails-from-my-server.