• We value your experience with Plesk during 2024
    Plesk strives to perform even better in 2025. To help us improve further, please answer a few questions about your experience with Plesk Obsidian 2024.
    Please take this short survey:

    https://pt-research.typeform.com/to/AmZvSXkx
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.

Question About ports 465 and 587

emilitingo

New Pleskian
About this image:
subm.png
If I open port 587, will port 465 stop working? Or will both ports be available and can I use either port as needed?

If I change to port 587, will I have to reconfigure my email managers later?

About this picture:
aaa.png

It will automatically change this setting and I won't have to do anything? or should I make the changes manually later in plesk?

I am using Plesk Obsidian Web Host Edition

Thanks for the support
 
If I open port 587, will port 465 stop working? Or will both ports be available and can I use either port as needed?
Before enabling 587 port:
Code:
root@friendly-banzai:~# lsof -i tcp:465
COMMAND     PID USER   FD   TYPE   DEVICE SIZE/OFF NODE NAME
master  3516935 root  114u  IPv4 67160597      0t0  TCP *:submissions (LISTEN)
master  3516935 root  115u  IPv6 67160598      0t0  TCP *:submissions (LISTEN)

root@friendly-banzai:~# lsof -i tcp:587
root@friendly-banzai:~#

After enabling 587 port:
Code:
root@friendly-banzai:~# lsof -i tcp:465
COMMAND     PID USER   FD   TYPE   DEVICE SIZE/OFF NODE NAME
master  3632049 root  114u  IPv4 69460309      0t0  TCP *:submissions (LISTEN)
master  3632049 root  115u  IPv6 69460310      0t0  TCP *:submissions (LISTEN)

root@friendly-banzai:~# lsof -i tcp:587
COMMAND     PID USER   FD   TYPE   DEVICE SIZE/OFF NODE NAME
master  3632049 root  129u  IPv4 69468761      0t0  TCP *:submission (LISTEN)
master  3632049 root  130u  IPv6 69468762      0t0  TCP *:submission (LISTEN)

So, port 587 will be added additionally to 465 port.
It will automatically change this setting and I won't have to do anything?
I checked and found that nothing changed in this tip.
In conclusion - nothing should be additionally configured, just port 587 will be added additionally.
 
Any info on how to change the "tip" in the UI? We want our users to use 587 by default...
 
Any info on how to change the "tip" in the UI? We want our users to use 587 by default...

Add the configuration to panel.ini file. This only changes the port shown in the UI, not any server configuration.
Code:
[mail]
clientConfig.smtpPortEncrypted = 587
 
Not really....
Plesk/Postfix enforces TLS/StartTLS for connections on port 587 as well

Port 587 is the port to use nowadays.
465 is a legacy construct that may get obsolete and vanish in the future
 
But at least with 465 you know it can't connect unencrypted, whereas with 587 you have to rely on the server to enforce (and the client demand) STARTTLS before anything else, which makes a MITM attack possible.
 
For some reason, there is an issue with communication to our port 465. It takes roughly 30 seconds (after socket connection is established) before the server throws the welcome message to the client. This is problematic for some mail clients. We yet have to find the cause. Communication on 587 works straight away.
 
@Kaspar@Plesk when the submission port (587) is enabled, that should become the default in all guides, not 465. We shouldn't have to use a panel.ini override to do that.

In other words, keep it at 465 if submission port is not enabled, and force it to 587 when submission port is enabled.
 
For some reason, there is an issue with communication to our port 465. It takes roughly 30 seconds (after socket connection is established) before the server throws the welcome message to the client. This is problematic for some mail clients. We yet have to find the cause. Communication on 587 works straight away.
I'm not certain if that's exactly our issue, but we do have clients reporting issues with some mail apps on 465 that work fine with 587, so that probably is the issue. Another reason why, when 587 is enabled in Plesk, it should be the default in all guides.
 
But at least with 465 you know it can't connect unencrypted, whereas with 587 you have to rely on the server to enforce (and the client demand) STARTTLS before anything else, which makes a MITM attack possible.

Explain. We're talking in the context of Plesk servers. By default Plesk servers require STARTTLS on 587. So in the context of Plesk servers, how is that relevant?
 
@Kaspar@Plesk when the submission port (587) is enabled, that should become the default in all guides, not 465. We shouldn't have to use a panel.ini override to do that.

In other words, keep it at 465 if submission port is not enabled, and force it to 587 when submission port is enabled.

There is an existing UesrVoice request for this suggestion. Please consider voting for it. The more popular a request becomes the higher the chances for consideration are.
 
There is an existing UesrVoice request for this suggestion. Please consider voting for it. The more popular a request becomes the higher the chances for consideration are.

Thank you for pointing out the UserVoice request, but honestly, it’s frustrating that something as straightforward and logical as adjusting the default port to 587 when it's enabled requires a popularity contest.

This isn’t a groundbreaking feature request; it’s about aligning with modern standards and improving usability. It seems like such a small change compared to the countless hours spent on redesigning the UI or other visual adjustments.

Why does something this obvious need to rely on UserVoice votes to be implemented? Shouldn't aligning with current email standards and reducing confusion for users be a priority by default?

Unfortunately, it’s precisely this kind of behavior from Plesk that makes end users feel increasingly alienated. Many feel like their concerns are not being taken seriously, especially when simple improvements are pushed aside. This becomes even more frustrating when we’re asked to pay 40–50% more for licenses year after year.
 
it’s frustrating that something as straightforward and logical as adjusting the default port to 587 when it's enabled requires a popularity contest.
This is a good point. Very few people are going to notice this kind of minor, yet surprisingly important adjustment for user experience. That means that, compared to other requests, it's likely going to get buried underneath the pile of 'fancy new stuff', making the whole point of having it in UserVoice kinda useless.

I've seen this kind of thing across many different UserVoice systems from many different companies. UserVoice (or at least WebPros implementation of UserVoice) should really segregate requests into two piles:

1. The kind of requests that are about editing existing functionality (really they're bugs because the software isn't working the way a reasonable user would expect it to work) and have nothing to do with major new features (like this one), and
2. Actual new features
 
Thank you for your update, @Maarten. I understand your point. However, even with port 587 enabled, some user might prefer to connect over port 465 under specific circumstances. Considering that the setting could be tweaked through panel.ini, I would personally prefer to see how much demand there is for altering the guides before applying the final change. Anyhow, I will bring that idea to our team's attention for further consideration.

@webservers Thank you for your feedback as well.
 
Explain. We're talking in the context of Plesk servers. By default Plesk servers require STARTTLS on 587. So in the context of Plesk servers, how is that relevant?
This is in the context of MitM attack. Why would a MitM require STARTTLS?
 
This is in the context of MitM attack. Why would a MitM require STARTTLS?
I didn't say a MitM attack would require STARTTLS. I'm saying a MitM attack only works if there's no security on the connection at all and since Plesk requires STARTTLS on 587, the certificate validation would fail once STARTTLS was attempted to be negotiated (which occurs prior to authentication) unless either:

1. The user intentionally ignores the warning from the mail app, or
2. There's a malicious or hacked certifying authority that granted an SSL certificate to the MitM attacker that matches the hostname of the server (or the mail domain).

But these exceptions are identical for SSL/TLS over 465.

This means 587 with required STARTTLS before auth should be equally as secure as 465 with SSL/TLS.
 
Back
Top