• We value your experience with Plesk during 2024
    Plesk strives to perform even better in 2025. To help us improve further, please answer a few questions about your experience with Plesk Obsidian 2024.
    Please take this short survey:

    https://pt-research.typeform.com/to/AmZvSXkx
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Question Block 25 Port allow 587 port instead on Plesk

sansar27

New Pleskian
Server operating system version
ubuntu 20.04
Plesk version and microupdate number
Plesk Obsidian Web Admin Edition 18.0.58 Update Nr. 2
Hello guys,
I want the SMTP server to use the 587 port instead 25. So for security reason we want to use secure connection for outgoing emails.

I already read this topic, as well.

On my main.cf file there is no such as configuration entry which is mentioned on post.

1709051833453.png

Is there any body who can help me ?
Best regards,
Thanks in advance!
Hasan
 
If you block port 25 your server will not be able to send mails to or receive mails from other servers on the Internet.
 
Hello Peter, you are right. It sends email from our exchange server by using smtp 25 port. So we do not want to block it. We want to make it just secure port.
In this case our server is open for the threats. How can we solve this problem instead of blocking 25 port?
 
Why should your server be open for threats when Postfix is listening on port 25? Or to be more precise, why would any other port be inherently more "secure"?

If you want to achieve that emails received and sent are (transport) encrypted whenever possible, just make sure your Postfix configuration has smtp_tls_security_level and smtpd_tls_security_level set to "may", a proper SSL certificate is configured and your server also still supports TLS 1.0 and 1.1.
Well, on can debate on disabling TLS 1.0/1.1 for a potentially more secure transport encryption, but in my opinion this is kinda moot as long as a server still supports non encrypted connections as well.
 
Why should your server be open for threats when Postfix is listening on port 25? Or to be more precise, why would any other port be inherently more "secure"?

If you want to achieve that emails received and sent are (transport) encrypted whenever possible, just make sure your Postfix configuration has smtp_tls_security_level and smtpd_tls_security_level set to "may", a proper SSL certificate is configured and your server also still supports TLS 1.0 and 1.1.
Well, on can debate on disabling TLS 1.0/1.1 for a potentially more secure transport encryption, but in my opinion this is kinda moot as long as a server still supports non encrypted connections as well.

25 port is used by SMTP server for clear text emailing as far as I know(It uses this port for listening and sen. Please correct me if I am wrong. I want just the postfix to use encrypted communication way. And I also tried to establish telnet connection on this port. It accepts this command but no result on server. Maybe I am doing something wrong. I tried to run this command and says Ok but no result.

HELO smptp.plesk.com

MAIL FROM: [email protected]

RCPT TO: root+:"; touch test.txt ;"

For your other opinion I fully agree with you. I just did not understand smtp_tls_security_level and smtpd_tls_security_level set to "may". Because why cannot I set "secure" or "encrypt" or any another higher parameter instead? Does such an option make sense just to avoid disrupting the operations of the SMTP?
Thank you
 
25 port is used by SMTP server for clear text emailing as far as I know (It uses this port for listening and send)
Port 25 is used to receive emails, but postfix/qmail do support StartTLS encryption on this port since 20 years ago or so.
Yes, the encryption is optional (smtpd_tls_security_level=may), so your server may still receive some emails via plain text.

For sending, your postfix will use a random local port between 1024-65525 for every connection, but of course connects to port 25 on the target mail server.
With smtp_tls_security_level=may it will try to use StartTLS to encrypt the connection, but still sends the emails in plain text, if the target mail server does not support SSL/TLS
If you set smtp_tls_security_level to "encrypt" or "secure", then your server will refuse to deliver any emails, if the target mail server does not support SSL/TLS or does not have a valid SSL certificate. And at least according to our own observation, there are still quite a lot of mail servers out there, where this is the case.
So your customers may then start to complain, that they can no longer send emails to certain recipients, if you set this parameter to encrypt or secure,


For your other opinion I fully agree with you. I just did not understand smtp_tls_security_level and smtpd_tls_security_level set to "may". Because why cannot I set "secure" or "encrypt" or any another higher parameter instead? Does such an option make sense just to avoid disrupting the operations of the SMTP?
As already teasered above, with anything except "none", "may" or "dane" your server will no longer be able to receive or send ALL emails, because there are still some mail servers out there, not supporting SSL/TLS at all.
This may or may not be a problem, depending on where your customers send emails to or receive emails from
 
Back
Top