Docs: Drop mention of port 25 support for authenticated submission#3496
Docs: Drop mention of port 25 support for authenticated submission#3496polarathene merged 4 commits intodocker-mailserver:masterfrom HeySora:faq-port-25
Conversation
HeySora
changed the title
|
Not exactly the case. You can still use port 25 to submit mail without requiring authentication.
Perhaps we could better clarify that? |
polarathene
left a comment
polarathene
left a comment
There was a problem hiding this comment.
Here's some context if you want to further elaborate in the docs.
Otherwise, dropping the "Understanding the Ports" change, as it's not accurate. FAQ change is ok 👍
|
|
||
| # SMTP | ||
| smtp port: 25 or 587/465 with STARTTLS/SSL (recommended) | ||
| smtp port: 587 or 465 with STARTTLS/SSL (recommended) |
There was a problem hiding this comment.
This is valid due to the suggestion of credentials to authenticate 👍
|
|
||
| 1. A connection _may_ be secured over TLS when both ends support `STARTTLS`. On ports 110, 143 and 587, DMS will reject a connection that cannot be secured. Port 25 is [required][ref-port25-mandatory] to support insecure connections. | ||
| 2. Receives email, DMS additionally filters for spam and viruses. For submitting email to the server to be sent to third-parties, you should prefer the _submission_ ports (465, 587) - which require authentication. Unless a relay host is configured (eg: SendGrid), outgoing email will leave the server via port 25 (_thus outbound traffic must not be blocked by your provider or firewall_). | ||
| 2. Receives email, DMS additionally filters for spam and viruses. For submitting email to the server to be sent to third-parties, you need to use the _submission_ ports (465, 587) - which require authentication. Unless a relay host is configured (eg: SendGrid), outgoing email will leave the server via port 25 (_thus outbound traffic must not be blocked by your provider or firewall_). |
There was a problem hiding this comment.
While this one is not specific to authenticated submission.
You may have another container / server send mail to DMS on port 25 to relay externally elsewhere. Provided it's trusted via something like PERMIT_DOCKER, it will be able to send that mail.
Presently SPOOF_PROTECTION=1 doesn't affect port 25, so such a scenario could send as anyone on port 25 when trusted even with this ENV enabled. Our method used is only related to authenticated SASL users being prevented from sending as anyone but themselves though, whereas a different Postfix option would be better for port 25 that prevents sending as a known SASL user (without authenticating, which would be required over 465 or 587 instead).
I'd still advise using authentication to send mail out, vs trusting an IP address where any process could from that source could use DMS as an open relay (from that trusted source at least).
There was a problem hiding this comment.
Got it! Thank you for the clarification 😊
This change has been reverted.
polarathene
added
area/security
kind/improvement
This reverts commit e756e4e.
polarathene
left a comment
polarathene
left a comment
There was a problem hiding this comment.
Thanks for catching this and updating our docs ❤️
|
Documentation preview for this PR is ready! 🎉 Built with commit: 038622e |
polarathene
changed the title
2 participants
Description
In the same spirit as #3464, this PR fixes a documentation issue (in the FAQ page, and in "Understanding the Ports"), about using port 25 for mail clients, which is unsupported since #3006.
Type of change