Please enable JavaScript.
Coggle requires JavaScript to display documents.
SMTP (STARTTLS (StartTLS allows a unencrypted connection to be upgraded to…
SMTP
STARTTLS
StartTLS allows a unencrypted connection to be upgraded to TLS connection if both client and server support that
Typically it takes the following steps:
- Client starts with a EHLO, and then
- Server response advertises STARTTLS capability, and then
- Client issues STARTTLS command, then b
- Both sides carry on normal TLS handshakes
- Once TLS connection is successfully established, client sends out another EHLO command
It's hard (if not impossible) to test StartTLS with telnet, you can try:
openssl s_client -starttls smtp -crlf -connect 10.32.32.176:25 -debug
Don't be confused with encryption and authentication:
- Encryption is outside of SMTP protocol, be it SMTPS or STARTTLS, at the end it's the plain text SMTP traffic got encrypted with another layer of TLS connection
- Authentication is one of ESMTP (SMTP service extension) command AUTH PLAIN or AUTH LOGIN or AUTH CRAM-HASH
Ports
Port 25
-
-
As per RFC6409, SMTP is not often authenticated during message RELAY in order to permit unconstrained communications (as contrast to port 587 for MSA where authentication is mandatory)
Probably because of this unauthenticated nature, port 25 tends to be abused to send out spams, particularly from residential hosts which are more likely infected by virus and malware. As a result, many ISPs firewall port 25 by default (unless you pay more and get fixed IPs)
Port 465
Was approved by IANA as a port for SMTPS, and then quickly depracated in favor of STARTTLS
SMTPS requires client and server to establish SSL/TLS connection first and then start SMTP communications
Even if it's no longer backed up by any RFCs, today there are still many email providers support port 465 and SMTPS, including big players like gmail
Port 587
RFC XXXX proposed to split mail submission and mail transfer in order to apply specific rules (security and policies) for each type of traffic. As a result, port 587 is primarily for mail submissions (MSA), and port 25 remains for transferring/relaying mails between mail servers (MTA) as before
-
Use Gmail to Relay
-
There are two ways to ensure only valid clients can relay email:
- Specify a range of IP address on Google Suite
- Enable authentication (the client must authenticate with a. google suite user account)
- You can specify to enable TLS Encryption.
- Note that if you specify to enable Authentication, then you must enable TLS Encryption
- You must use port 587 if TLS encryption is enabled, otherwise you can use port 25, 465 or 587