Should I listen for SMTP on both 25 and 587?

Nemo asked:

I was setting up haraka as our mailing server, and for outbound email, it suggests moving to port 587 for SMTPS auth support. However, I’m unsure if I should be

  1. running 2 instances of haraka on both ports,
  2. just listen on one (587), or
  3. listen on both but redirect 25 to 587.

Which of these should one follow?

My answer:

You need to have both ports configured, as they serve two different purposes.

Port 587 is the submission port; it is intended for email being sent by end users from their desktop applications (Outlook, Thunderbird, etc.) to others. End users will set port 587 as their SMTP server port in their email programs. Traffic on port 587 is required to be authenticated, and should be encrypted with TLS.

Port 25 is the historic SMTP port; it is used to relay mail between SMTP servers until it reaches its final destination server. Since this traffic may originate from anywhere on the Internet, it does not have to be authenticated or encrypted, but it may be.

(There is also a port 465, which is SMTP wrapped in SSL, but it is almost never used, since TLS became the common standard and works on both port 25 and 587.)

The reason port 587 exists at all, of course, is spam. Compromised computers on residential ISP connections often run malware which sends out large quantities of spam directly to port 25 of the recipient domain’s mail servers. In response, since the submission port was standardized, many ISPs now block port 25 connections from end users to cut down on spam.

View the full question and any other answers on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.