Just to pass on my observations in here. YMMV.
I would not have port 25 open inbound for client communication.
Port 25, IMHO should only be used server to server communication. I
crossed that bridge a long time ago when ISP started blocking port
25 and moved client inbound traffic to port 587.
I have also opened up all necessary SSL enabled ports and allow SSL
and non-SSL traffic. I am not 100% certain I can remove non-SSL
traffic with my customer base.
My customer base is mostly small businesses. You will find a myriad
of weird one off applications out there yet that want to send email,
but don't understand SSL yet. Unless you want to go through the
pain of installing an SMTP relay service at each of these clients,
you may find yourself stuck supporting non-SSL for quite a while.
A classic is an old application called Atrix. It can send email via
MAPI or direct. The problem with MAPI is that Outlook will want to
encapsulate the outgoing quote(in PDF format) and non-Outlook
clients will see a winmail.dat attachment. And that's not going to
work very well...
LCR Computer Services, Inc.
On 11/14/14 21:56, Michael Prichard
In light of the information described from the link
below, I was wondering what might be the best strategies to
insure that our users aren’t having their e-mail connections
unwittingly reduced to the non-SSL variety, despite their mail
We currently have our servers configured with SSL
enabled on the appropriate ports for all mail services (IMAP,
SMTP, Surgeweb), but we’ve also left the default parts, namely
25, 110, 143, open for clients that seem to use these to
initiate and then escalate to StartTLS (pardon the errors in my
characterization), if I’m understanding that process correctly.
I’d like to lock down our servers to restrict all communications
to SSL protected ones. A quick scan of the status pages shows
that all users are currently already connecting via SSL.
Is the only way to do this to simply shut down the
default non-SSL ports? Is there another flag that could be set
to allow initial contact for the sake of launching StartTLS but
then rejecting further communications if SSL is not
If disabling the non-SSL ports is the best method,
I’m assuming that I simply insert “disabled” in place of the
port numbers. If doing so for the POP 110 ports, does this
affect Surgemail mirroring? I have my g_mirror_nossl unchecked
since my servers are connected via the open internet, but I
don’t know if it uses the same port for SSL connections or uses
Thanks for any advice.