Re: [Exim] TLS on a port other than 25

Top Page
Delete this message
Reply to this message
Author: James P. Roberts
Date:  
To: exim-users
Subject: Re: [Exim] TLS on a port other than 25
> >> At 05:58 PM 2/14/2003 -0800, Mark Edwards wrote:
> >>> I have just enabled TLS in Exim on a machine that listens on port
> >>> 26 in addition to port 25 (for the purposes of getting around
> >>> routing issues with a dialup ISP). TLS works great on port 25,

but
> >>> an SSL connection on port 26 is unsuccessful and nothing is

logged.
> >>
> >> May I suggest the MSA port 587 for this purpose? There's an RFC
> >> and all, and 587 is a "well known port" for submission of mail.
> >
> > Why not 465 smtps/ssmtp ?
>
> That isn't TLS - a bit different (ssl, alternate port as it is

called).
> At least one mail client has an issue or two with this IIRC, last I
> checked.
>
>     srs


I ran into a similar problem. It has to do with the fact that in M$
Outlook Express (and probably other M$ mail clients), when you check the
box to use encrypted connections, it ONLY uses TLS on port 25, but
instead switches to using SMTPS if you use any other port. (Talk about
an undocumented "feature"... geeez).

To get around this, instead of firing up a second Exim, I use Stunnel on
port 465 to handle the decryption. Then I have Stunnel forward the
decrypted session to Exim. Unfortunately, this leads to a couple of
caveats... One, you can't require an encrypted connection in your Exim
ACL for these messages; but it's OK, because the session is actually
encrypted over the net via Stunnel. Second, because Stunnel port
forwarding "loses" the remote IP information (long story, not going to
change), Exim sees the connection as being from the local machine; so,
you must not permit relaying from the local machine (without
authentication), or you become an open relay on the alternate port.

I await the day that Exim can be asked to listen for different
encryption protocols on different ports. Perhaps it already can; I
simply haven't looked at changing my process, because it is currently
working. ("If it ain't broke...")

I also agree with those that recommend using the proper, already
established, ports (465 and/or 587) for this purpose.

Jim Roberts
Punster Productions, Inc.