Is port 25 used between mail servers secured with SSL/TLS?

Solution 1:

Months later, I read more materials and some RFC and I don't argee some of @Overmind 's answer.

Opportunistic_TLS or STARTTLS, I think they are refering to one thing. That is, if server supports TLS connection, then a client would perfer to connection with TLS, if not, a client is ok with plain text connection.

Port 25 used by MTAs may support TLS or may not. It's completely depending on the mail server. (If a server supports TLS, you can see the STARTTLS option after telnet and EHLO.)

• If a server MTA a supports TLS, and a client MTA b is asking for TLS connection, then TLS connection will be established.

• If a server MTA a doesn't support TLS, and a client MTA b can be configured to continue to talk in plain text or abort delivering. (For example, MTA software Postfix seems to support these kind of settings, and it can be set to ask for TLS connection only for some user specified domains.)

The introduction of port 587 was originally aimed to replace port 25 in MUA (end user mail client e.g. ThunderBird) to MTA mail submission. And it's designed in a Opportunistic_TLS way. If server supports TLS, then talk in TLS. If not, then I am ok with plain text.

So as you can see Opportunistic_TLS or STARTTLS is just a mechanism. This pattern can be used in MTA to MTA, MUA to MTA or any other communications. It has nothing to do with the protocols.

And I don't think the default submission port should be 587 as @Overmind said. mail submisson should be enforce TLS instead of Opportunistic_TLS. enforce TLS is: if server doesn't support TLS connection, then client won't talk to the server. And port 465 is employed for enforce TLS requirement.

So in your mail client, you should always use 465 for mail submission.

Check this good article for more https://www.fastmail.com/help/technical/ssltlsstarttls.html

Solution 2:

There are two scenarios for SMTP traffic:

• Server to Server
• Client to Server.

Server to Server e-mail communication takes place over port 25. This port continues to be used primarily for SMTP relaying. SMTP relaying is the transmittal of email from email server to email server. You have to accept SMTP traffic at port 25 to receive communications from other domains. This is unsecured, information is sent as clear text / ASCII. It is not sent over SSL.

Client to Server scenario: On the server you can configure different submission ports (open ports you will accept e-mail on). These can be anything, but clients will have to know to use them.

The most common ports are 25 and 587, but a client-server system should not use 25. If you want secure outgoing communication, use 587 with TLS. This is the default e-mail submission port. When an e-mail client or server is submitting an email to be routed by a proper e-mail server, it should always use this port. This port, coupled with TLS encryption, will ensure that email is submitted securely and following the guidelines set out by the IETF.

Do not confuse ports with communication protocols.

SMTP is a protocol – it specifies the way information is transmitted. It can transmit it securely or insecurely.

The SMTP port is actually a listening port and clients connect to this in order to use the server's functionality.

The SMTP Server, on the other hand, is something separate from the protocol itself that actually does the transmission.

So yes, what you read is correct: port 25 is considered to be an incorrect use in a client-server scenario.