LetsEncrypt + DANE

It seems I’ve pretty much got everything running. Have a possible SELinux problem but must wait for January to find out. My script works with --dry-run.

But I can’t receive SMTP email. Anyone who sends to me gets a “Connection timed out” to port 25. No wonder, I only have port 587 open.

Am I supposed to plumb 25 to 587 in the router? Would LE cert encryption be understood? Why don’t outside SMTP servers bother to try 587?

Port 587 is the submission port. It’s only for users with mailboxes on the server to send mail with. Port 25 is the port mail servers use to exchange mail. Mail servers don’t retry on port 587 because they are not supposed to.

By default, most mail server software restricts port 587 to authenticated outgoing submission as well so you may not even be able to forward port 25 to port 587 without changing your mail server configuration.

Your certificate will be recognized as valid for any port listening on the domain. Mail servers that enforce DANE will look up the TLSA record for TCP port 25 at the hostname(s) listed in your MX record.

Wow I misinterpreted smtps entirely. I knew that port 465 is obsolete, but I thought submission 587 is the new way.

And setting 587 in the DNS zone TLSA record instead of 25 was a real gotcha too. Fixed now, thanks again.

But yesterday when Frontier found I’m using port 25, they began sinkholing it – # traceroute -n -T -p 25 mail.protonmail.ch

I don’t understand why this doesn’t interfere with a normal email client using port 25, as opposed to Postfix?

So now I have to compare switching to Frontier Business Internet (where they have a 1 year “aggreement”, you know, like ‘aggravation’, lol); with a hosted cloud instance maybe with Vexxhost. I’ve tried Internap but they are dishonest about billing.

IIRC port 587 predates port 465. Port 465 is/was used for explicit SMTP over TLS, and is also for submission only. The reason we stopped using it is that end users had to opt-in to security (there are no 301s or HSTS for SMTP). Unsurprisingly, most end users never clicked the Secure checkbox to change the port.

So we have STARTTLS now instead, which allows mail software to upgrade the unencrypted connection so users don't have to tell the difference.

Many consumer ISPs block port 25 completely, inbound and outbound (this is why port 587 exists).

If they're not completely blocking it, they're probably doing some kind of deep packet inspection to block unauthenticated and/or unencrypted activity on port 25.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.