[Ach] BetterCrypto guide - POSTFIX configuration mistake / missing parameter

Gunnar Haslinger gh.bettercrypto at hitco.at
Fri Oct 14 13:49:34 CEST 2016

Full-Quote of Guillaume's mail see below (mail was sent directly and
didn't go to the list). 

My Opinion about this: Yes, you have to use dedicated submission-ports,
that's how it is defined to work. Misusing port 25 is a wideseen
configuration, but that's not how it was designed in the RFC's. You say
popular IT-Networks don't allow outgoing connections to the dedicated
submission-ports but allow outgoing connections to port 25? That's
weird. My personal experience when traveling and using
Public/Hotel/Airport/University/Company-WLANs is, that port 25 is almost
everywhere blocked (to prevent outgoing spam from these LANs) but using
submission-ports usually works fine. 

If you really have this problem feel free to configure your personal
client to use Port 25 or host an additional submission port on 443 to go
through these firewalls. 

Am 2016-10-14 13:34, schrieb Guillaume REMBERT:

> OK. I got it! This is driven by the master.cf config with -o
> smtpd_tls_security_level=encrypt.
> Thanks a lot for your feedbacks and for correcting me.
> One last question/remark to fully understand this topic and config.
> TLS is under the application layer SMTP. In my original setup,
> port 25 is used for both reception of Mail (MTA) and submission (MSA).
> How can be done the differenciation between a reception connexion and a
> submission connexion? It is not possible as TLS is done before any
> application exchange. So I need also to open a dedicated port reserved
> for submission as recommended in the doc - TCP/587?
> One problem that I see there is that most IT networks don't allow
> output traffic to port 587, thus it is not possible to directly send
> mail in most foreign corporate networks - example here-after of an
> access provided by a big european organisation:
> -     HTTP    TCP / 80
> -     HTTPS   TCP / 443
> -     SMTP*   TCP / 25
> -     POP3    TCP / 110
> -     POP3s   TCP / 995
> -     IMAP    TCP / 143
> -     IMAPs   TCP / 993
> -     IPSEC   UDP / 500
> -     IPSEC   UDP / 4500
> -     OpenVPN UDP / 1194
> In that case I would have to establish a VPN in order to send my mail.
> What would be your position related to this strong limitation?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cert.at/pipermail/ach/attachments/20161014/7dec3c4d/attachment.html>

More information about the Ach mailing list