Discussion:
SMTP using port 25 by default
(too old to reply)
Adam H. Kerman
2022-03-17 14:02:18 UTC
Permalink
I use a role to submit email through an SMTP server specific to the
domain of the email address in question. I use either the /ssl or /tls
parameter, depending on what works through trial and error. I also
submit the username and the password is stored in the passfile.

I think you've explained that /tls is really STARTTLS, which I've always
found confusing.

I've been unable to send email through one SMTP server. I get the 100%
submitted, but the test message hasn't been received at one of my other
addresses.

I added /submit and the test message was received.

I had assumed that by specifying /ssl or /tls, alpine used port 587. Is
that wrong? Does alpine use port 25 by default?

I changed all my roles to add /submit.
Eduardo Chappa
2022-03-18 04:05:11 UTC
Permalink
Post by Adam H. Kerman
I think you've explained that /tls is really STARTTLS, which I've always
found confusing.
I agree. I added an alias "/starttls" to make it less confusing
Post by Adam H. Kerman
I've been unable to send email through one SMTP server. I get the 100%
submitted, but the test message hasn't been received at one of my other
addresses.
I added /submit and the test message was received.
I had assumed that by specifying /ssl or /tls, alpine used port 587. Is
that wrong? Does alpine use port 25 by default?
Yes, Alpine uses the default port for any connection whose port is not
specified in some way. Let me make that a little bit more clear:

smtp.server.com

means to connect in port 25, so doing

smtp.server.com/tls

means to connect in port 25 and do STARTTLS in that port. The correct port
to do /tls is port 587, so you have to add this as

smtp.server.com:587/tls

However, Alpine has a shortcut for that ant it is

smtp.server.com:587/tls = smtp.server.com/submit

This is the same when you speciy other means to connect such as

smtp.server.com/ssl

which is equivalent to

smtp.server.com/ssl = smtp.server.com:465/ssl

in other words the modifier also modifies the connection port. For
security reasons always prefer /ssl over STARTTLS, so if you can change
/submit to /ssl do that, otherwise /submit is the next best thing.

I hope this helps.
--
Eduardo
https://tinyurl.com/yc377wlh (web)
http://repo.or.cz/alpine.git (Git)
Adam H. Kerman
2022-03-18 04:42:55 UTC
Permalink
Post by Eduardo Chappa
Post by Adam H. Kerman
I think you've explained that /tls is really STARTTLS, which I've always
found confusing.
I agree. I added an alias "/starttls" to make it less confusing
Thanks!
Post by Eduardo Chappa
Post by Adam H. Kerman
I've been unable to send email through one SMTP server. I get the 100%
submitted, but the test message hasn't been received at one of my other
addresses.
I added /submit and the test message was received.
I had assumed that by specifying /ssl or /tls, alpine used port 587. Is
that wrong? Does alpine use port 25 by default?
Yes, Alpine uses the default port for any connection whose port is not
smtp.server.com
means to connect in port 25, so doing
smtp.server.com/tls
means to connect in port 25 and do STARTTLS in that port. The correct port
to do /tls is port 587, so you have to add this as
smtp.server.com:587/tls
However, Alpine has a shortcut for that ant it is
smtp.server.com:587/tls = smtp.server.com/submit
/submit means STARTTLS and port 587? I've never read that in the help
text. Does /submit allow it to step down to an unencrypted connection if
STARTTLS fails? I'd prefer to avoid that.
Post by Eduardo Chappa
This is the same when you speciy other means to connect such as
smtp.server.com/ssl
which is equivalent to
smtp.server.com/ssl = smtp.server.com:465/ssl
/ssl means port 465? I thought we're not supposed to use that port for
SSL as it's never been officially assigned.
Post by Eduardo Chappa
in other words the modifier also modifies the connection port. For
security reasons always prefer /ssl over STARTTLS, so if you can change
/submit to /ssl do that, otherwise /submit is the next best thing.
Does /submit/ssl use port 587?
Post by Eduardo Chappa
I hope this helps.
I hate to say I'm confused on a few of these points.
Eduardo Chappa
2022-03-18 06:24:21 UTC
Permalink
Post by Adam H. Kerman
/submit means STARTTLS and port 587? I've never read that in the help
text. Does /submit allow it to step down to an unencrypted connection if
STARTTLS fails? I'd prefer to avoid that.
No, if STARTTLS fails there goes your session. Read more on the following
help link (if followed from alpine) x-alpine-help:h_folder_server_syntax
Post by Adam H. Kerman
Post by Eduardo Chappa
This is the same when you speciy other means to connect such as
smtp.server.com/ssl
which is equivalent to
smtp.server.com/ssl = smtp.server.com:465/ssl
/ssl means port 465? I thought we're not supposed to use that port for
SSL as it's never been officially assigned.
Well, that is what /ssl means, it is in the source code, but you can
specify any port.
Post by Adam H. Kerman
Post by Eduardo Chappa
in other words the modifier also modifies the connection port. For
security reasons always prefer /ssl over STARTTLS, so if you can change
/submit to /ssl do that, otherwise /submit is the next best thing.
Does /submit/ssl use port 587?
That dos not do what you want it to do. This is like doing /tls/ssl. It is
contradictory and will not work.
--
Eduardo
https://tinyurl.com/yc377wlh (web)
http://repo.or.cz/alpine.git (Git)
Adam H. Kerman
2022-03-18 20:45:25 UTC
Permalink
Post by Eduardo Chappa
Post by Adam H. Kerman
/submit means STARTTLS and port 587? I've never read that in the help
text. Does /submit allow it to step down to an unencrypted connection if
STARTTLS fails? I'd prefer to avoid that.
No, if STARTTLS fails there goes your session. Read more on the following
help link (if followed from alpine) x-alpine-help:h_folder_server_syntax
Post by Adam H. Kerman
Post by Eduardo Chappa
This is the same when you speciy other means to connect such as
smtp.server.com/ssl
which is equivalent to
smtp.server.com/ssl = smtp.server.com:465/ssl
/ssl means port 465? I thought we're not supposed to use that port for
SSL as it's never been officially assigned.
Well, that is what /ssl means, it is in the source code, but you can
specify any port.
Post by Adam H. Kerman
Post by Eduardo Chappa
in other words the modifier also modifies the connection port. For
security reasons always prefer /ssl over STARTTLS, so if you can change
/submit to /ssl do that, otherwise /submit is the next best thing.
Does /submit/ssl use port 587?
That dos not do what you want it to do. This is like doing /tls/ssl. It is
contradictory and will not work.
It appears that with /ssl parameter used, /submit is ignored.

If I'm now following you, /ssl used port 465 by default and attempts TLS
1.3.

It would make my life easier if there were a chart in the help text.

Protocol tried first default port

/submit STARTTLS 587
/ssl TLS 1.3 465
/tls I'm still confused

Ok. I redid the SMTP entry in each of my roles for the second time this
week. I eliminated /submit and /tls. In each case I'm using /ssl but I
have no idea what happens if TLS 1.3 isn't available. Does that cause
failure or does it attempt TLS 1.2?
Eduardo Chappa
2022-03-19 00:48:59 UTC
Permalink
Post by Adam H. Kerman
It appears that with /ssl parameter used, /submit is ignored.
/ssl and /submit are mutually exclusive.
Post by Adam H. Kerman
It would make my life easier if there were a chart in the help text.
Protocol tried first default port
/submit STARTTLS 587
/ssl TLS 1.3 465
/tls I'm still confused
Adam, I can see your confusion. STARTTLS is not a protocol, STARTTLS is a
command which tells the server that you are going to negotiate a secure
connection using TLS. The version of TLS that will be used depends on what
versions ot TLS where compiled into Alpine and into the server. The server
and Alpine will negotiate the highest version of TLS that both of them
support. When you see that the negotiation is being done with TLS version
1.3 it means that both Alpine and the server support it, and that is good,
but if Alpine supported only TLS 1.2, that is what would be negotiated.

Let me correct myself. It is not Alpine that supports TLS 1.2, it is
openssl. All of that negotiation is done by openssl, not Alpine. Alpine
uses openssl to negotiate the secure connection, so the table above does
not make sense in the sense you want to write.

However, one more thing. When you add /tls to a connection it means that
you will connect insecurely to that server and then use the STARTTLS
command to negotiate a secure connection. That is different than what
happens when you add /ssl, which means connecting securely to the server
from the very beginning. As I said before /ssl and /tls are mutually
exclusive.
Post by Adam H. Kerman
Ok. I redid the SMTP entry in each of my roles for the second time this
week. I eliminated /submit and /tls. In each case I'm using /ssl but I
have no idea what happens if TLS 1.3 isn't available. Does that cause
failure or does it attempt TLS 1.2?
It is not TLS 1.3 that is negotiated, it is the highest version of the
protocol that both the server and alpine support. In your case it might be
TLS 1.3, or maybe something smaller if the server does not support TLS
1.3.
--
Eduardo
https://tinyurl.com/yc377wlh (web)
http://repo.or.cz/alpine.git (Git)
Adam H. Kerman
2022-03-19 16:53:59 UTC
Permalink
Post by Eduardo Chappa
Post by Adam H. Kerman
It appears that with /ssl parameter used, /submit is ignored.
/ssl and /submit are mutually exclusive.
Post by Adam H. Kerman
It would make my life easier if there were a chart in the help text.
Protocol tried first default port
/submit STARTTLS 587
/ssl TLS 1.3 465
/tls I'm still confused
Adam, I can see your confusion. STARTTLS is not a protocol, STARTTLS is a
command which tells the server that you are going to negotiate a secure
connection using TLS. The version of TLS that will be used depends on what
versions ot TLS where compiled into Alpine and into the server. The server
and Alpine will negotiate the highest version of TLS that both of them
support. When you see that the negotiation is being done with TLS version
1.3 it means that both Alpine and the server support it, and that is good,
but if Alpine supported only TLS 1.2, that is what would be negotiated.
Let me correct myself. It is not Alpine that supports TLS 1.2, it is
openssl. All of that negotiation is done by openssl, not Alpine. Alpine
uses openssl to negotiate the secure connection, so the table above does
not make sense in the sense you want to write.
Ah
Post by Eduardo Chappa
However, one more thing. When you add /tls to a connection it means that
you will connect insecurely to that server and then use the STARTTLS
command to negotiate a secure connection.
Is port 587 used by default with the /tls parameter specified?

Thank you for the explanation.
Post by Eduardo Chappa
Post by Adam H. Kerman
. . .
Eduardo Chappa
2022-03-19 22:05:38 UTC
Permalink
Post by Adam H. Kerman
Is port 587 used by default with the /tls parameter specified?
No, for any server, when you use

server.com:port/tls

you connect insecurely to server.com at that specific port. when you omit
the port, as in

server.com/tls

you connect to server.com at the default insecure port and then you
negotiate a secure connection using the STARTTLS command. In the case of
SMTP this would be port 25. Since STARTTLS exists in port 587 you would
either use

server.com:587/tls

or the equivalent

server.com/submit

I hope this helps.
--
Eduardo
https://tinyurl.com/yc377wlh (web)
http://repo.or.cz/alpine.git (Git)
Adam H. Kerman
2022-03-19 22:48:15 UTC
Permalink
Post by Eduardo Chappa
Post by Adam H. Kerman
Is port 587 used by default with the /tls parameter specified?
No, for any server, when you use
server.com:port/tls
you connect insecurely to server.com at that specific port. when you omit
the port, as in
server.com/tls
you connect to server.com at the default insecure port and then you
negotiate a secure connection using the STARTTLS command. In the case of
SMTP this would be port 25. Since STARTTLS exists in port 587 you would
either use
server.com:587/tls
or the equivalent
server.com/submit
I hope this helps.
Thanks

John Levine
2022-03-18 17:36:57 UTC
Permalink
Post by Adam H. Kerman
Post by Eduardo Chappa
This is the same when you speciy other means to connect such as
smtp.server.com/ssl
which is equivalent to
smtp.server.com/ssl = smtp.server.com:465/ssl
/ssl means port 465? I thought we're not supposed to use that port for
SSL as it's never been officially assigned.
RFC 8314 fixed that five years ago. Submit away.
--
Regards,
John Levine, ***@taugh.com, Primary Perpetrator of "The Internet for Dummies",
Please consider the environment before reading this e-mail. https://jl.ly
Adam H. Kerman
2022-03-18 20:36:37 UTC
Permalink
Post by John Levine
Post by Adam H. Kerman
Post by Eduardo Chappa
This is the same when you speciy other means to connect such as
smtp.server.com/ssl
which is equivalent to
smtp.server.com/ssl = smtp.server.com:465/ssl
/ssl means port 465? I thought we're not supposed to use that port for
SSL as it's never been officially assigned.
RFC 8314 fixed that five years ago. Submit away.
Thank you for pointing that out.
Loading...