Hacker News new | past | comments | ask | show | jobs | submit login

tldr; 465 is obsolete,you should not use it; 25 is for relaying mail between servers; 587 is the default mail submission port today.



No, it is not obsolete, quite contrary actually. See RFC8314.

The implicit TLS submission port got deprecated for a brief time, but it's no longer deprecated.

Explicit TLS is a terrible idea and for that reason it's recommended to provide implicit TLS (submissions).


Hey! Thanks for the clarification, looks like an exception was made specifically for smtp. And after reading their reasoning, it does make sense.

Server operators should (and do) provide both 486 and 587 in order to maximize the amount of secure connections to their servers.


Is 465 really obsolete?

https://www.rfc-editor.org/rfc/rfc8314#section-3.3


As the other commenter pointed out, you are right, it once was, but that is no longer the case.


Isn't 465 safer since 587 uses STARTTLS and STARTTLS can be downgraded?


> since 587 uses STARTTLS and STARTTLS

Technically yes, but for the last decade I've seen only one instance where 587 was explicitly STARTTLS (Fastmail), everyone else just running TLS on it.


How can I check if a connection is TLS or STARTTLS?


Connect to the smtp server and issue `EHLO something` command, then check if STARTTLS is mentioned in the server response.


Thanks!


Minor nitpicks:

a) you need a plain-text aka telnet client for this

b) if you receive a valid, human-readable text then it means what you are not on TLS for sure

c) if B succeeds that doesn't means what that SMTP server support STARTTLS, you should check options and try to initite it , eg:

        220 smtp.fastmail.com ESMTP ready
    ->  EHLO just.testing.things
        250-smtp.fastmail.com
        250-PIPELINING
        250-SIZE 71000000
        250-ENHANCEDSTATUSCODES
        250-8BITMIME
    !!  250 STARTTLS
    ->  STARTTLS
        220 2.0.0 Start TLS


Right, I guess you could also use openssl's s_client like this:

  openssl s_client -starttls smtp -connect smtp.gmail.com:587
  openssl s_client -connect smtp.gmail.com:465


smtp.gmail.com:587 is still STARTTLS.


STARTTLS is a protocol. Allowing unencrypted connections is a policy. One does not imply the other.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: