Enable and recommend port 465 for mail submission instead of port 587 (fixes #1849)

Port 465 with "implicit" (i.e. always-on) TLS is a more secure approach than port 587 with explicit (i.e. optional and only on with STARTTLS). Although we reject credentials on port 587 without STARTTLS, by that point credentials have already been sent.
2026-03-30 21:07:23 +02:00 · 2021-05-09 10:11:40 -04:00
parent e283a12047
commit d510c8ae2a
11 changed files with 42 additions and 24 deletions
--- a/setup/ssl.sh
+++ b/setup/ssl.sh
@@ -10,7 +10,7 @@
 #
 #  * DNSSEC DANE TLSA records
 #  * IMAP
-#  * SMTP (opportunistic TLS for port 25 and submission on port 587)
+#  * SMTP (opportunistic TLS for port 25 and submission on ports 465/587)
 #  * HTTPS
 #
 # The certificate is created with its CN set to the PRIMARY_HOSTNAME. It is
@@ -19,7 +19,7 @@
 #
 # The Diffie-Hellman cipher bits are used for SMTP and HTTPS, when a
 # Diffie-Hellman cipher is selected during TLS negotiation. Diffie-Hellman
-# provides Perfect Forward Secrecy. 
+# provides Perfect Forward Secrecy.

 source setup/functions.sh # load our functions
 source /etc/mailinabox.conf # load global vars