Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]


Groups > comp.mail.sendmail > #8287 > unrolled thread

SMART_HOST to port 465 or 587?

Started byJohn Levine <johnl@taugh.com>
First post2026-04-13 18:28 +0000
Last post2026-04-13 21:00 +0200
Articles 14 — 6 participants

Back to article view | Back to comp.mail.sendmail


Contents

  SMART_HOST to port 465 or 587? John Levine <johnl@taugh.com> - 2026-04-13 18:28 +0000
    Re: SMART_HOST to port 465 or 587? kalevi@kolttonen.fi (Kalevi Kolttonen) - 2026-04-13 18:33 +0000
      Re: SMART_HOST to port 465 or 587? John Levine <johnl@taugh.com> - 2026-04-13 19:28 +0000
        Re: SMART_HOST to port 465 or 587? kalevi@kolttonen.fi (Kalevi Kolttonen) - 2026-04-13 20:18 +0000
          Re: SMART_HOST to port 465 or 587? John Levine <johnl@taugh.com> - 2026-04-13 21:14 +0000
            Re: SMART_HOST to port 465 or 587? kalevi@kolttonen.fi (Kalevi Kolttonen) - 2026-04-13 21:39 +0000
            Re: SMART_HOST to port 465 or 587? Hugo Villeneuve-Lapointe <hugo_villap@email.invalid> - 2026-04-13 18:11 -0400
              Re: SMART_HOST to port 465 or 587? John Levine <johnl@taugh.com> - 2026-04-14 00:15 +0000
                Re: SMART_HOST to port 465 or 587? Hugo Villeneuve-Lapointe <hugo_villap@email.invalid> - 2026-04-13 23:27 -0400
                  Re: SMART_HOST to port 465 or 587? Claus Aßmann <INVALID_NO_CC_REMOVE_IF_YOU_DO_NOT_POST_ml+sendmail(-no-copies-please)@esmtp.org> - 2026-04-14 02:20 -0400
                    Re: SMART_HOST to port 465 or 587? Hugo Villeneuve-Lapointe <hugo_villap@email.invalid> - 2026-04-14 22:24 -0400
                  Re: SMART_HOST to port 465 or 587? Bjørn Mork <bjorn@mork.no> - 2026-04-14 08:26 +0200
                    Re: SMART_HOST to port 465 or 587? John Levine <johnl@taugh.com> - 2026-04-14 18:27 +0000
    Re: SMART_HOST to port 465 or 587? Andrzej Adam Filip <anfi@onet.eu> - 2026-04-13 21:00 +0200

#8287 — SMART_HOST to port 465 or 587?

FromJohn Levine <johnl@taugh.com>
Date2026-04-13 18:28 +0000
SubjectSMART_HOST to port 465 or 587?
Message-ID<10rjcjs$23i1$1@gal.iecc.com>
I am in the process of replacining a tired old server running sendmail 8.15.2.
Before I turn it off I want to make it send its remaining mail through the
new server (which isn't running sendmail but that shouldn't matter.)

I see the SMART_HOST macro, but I want to make it relay with ssl to port
465 or with STARTTLS to port 587 on the new server.  I have looked through
the manual and if it's there, I don't see it.

TIA

-- 
Regards,
John Levine, johnl@taugh.com, Primary Perpetrator of "The Internet for Dummies",
Please consider the environment before reading this e-mail. https://jl.ly

[toc] | [next] | [standalone]


#8288

Fromkalevi@kolttonen.fi (Kalevi Kolttonen)
Date2026-04-13 18:33 +0000
Message-ID<10rjcuh$3h4e3$1@dont-email.me>
In reply to#8287
John Levine <johnl@taugh.com> wrote:
> I am in the process of replacining a tired old server running sendmail 8.15.2.
> Before I turn it off I want to make it send its remaining mail through the
> new server (which isn't running sendmail but that shouldn't matter.)
> 
> I see the SMART_HOST macro, but I want to make it relay with ssl to port
> 465 or with STARTTLS to port 587 on the new server.  I have looked through
> the manual and if it's there, I don't see it.

I am not sure which one of these you need. I have set both
and my Sendmail connects to smart host's TCP port 587.

define(`ESMTP_MAILER_ARGS', `TCP $h 587')dnl
define(`RELAY_MAILER_ARGS', `TCP $h 587')dnl

Sendmail will use STARTTLS automatically as long as
your receiving server advertises to support it.

br,
KK

[toc] | [prev] | [next] | [standalone]


#8290

FromJohn Levine <johnl@taugh.com>
Date2026-04-13 19:28 +0000
Message-ID<10rjg51$2kmm$1@gal.iecc.com>
In reply to#8288
According to Kalevi Kolttonen <kalevi@kolttonen.fi>:
>I am not sure which one of these you need. I have set both
>and my Sendmail connects to smart host's TCP port 587.
>
>define(`ESMTP_MAILER_ARGS', `TCP $h 587')dnl
>define(`RELAY_MAILER_ARGS', `TCP $h 587')dnl
>
>Sendmail will use STARTTLS automatically as long as
>your receiving server advertises to support it.

Thanks, that should do it.  Just out of curiosity is
there a way to tell it to do immediate TLS on port 465?

-- 
Regards,
John Levine, johnl@taugh.com, Primary Perpetrator of "The Internet for Dummies",
Please consider the environment before reading this e-mail. https://jl.ly

[toc] | [prev] | [next] | [standalone]


#8291

Fromkalevi@kolttonen.fi (Kalevi Kolttonen)
Date2026-04-13 20:18 +0000
Message-ID<10rjj1u$3j7e1$1@dont-email.me>
In reply to#8290
John Levine <johnl@taugh.com> wrote:
> Thanks, that should do it.  Just out of curiosity is
> there a way to tell it to do immediate TLS on port 465?

I have no idea as I have never used port 465. I suppose
it is deprecated anyway, but I am not 100% sure.

From a performance point of view, issuing STARTTLS
ESMTP command on port 587 makes no practical difference
compared to the immediate TLS on port 465.

br,
KK

[toc] | [prev] | [next] | [standalone]


#8292

FromJohn Levine <johnl@taugh.com>
Date2026-04-13 21:14 +0000
Message-ID<10rjmbc$lpm$1@gal.iecc.com>
In reply to#8291
It appears that Kalevi Kolttonen <kalevi@kolttonen.fi> said:
>John Levine <johnl@taugh.com> wrote:
>> Thanks, that should do it.  Just out of curiosity is
>> there a way to tell it to do immediate TLS on port 465?
>
>I have no idea as I have never used port 465. I suppose
>it is deprecated anyway, but I am not 100% sure.

It's not deprecated at all.  Every MTA I know supports it.  Even sendmail.

>From a performance point of view, issuing STARTTLS
>ESMTP command on port 587 makes no practical difference
>compared to the immediate TLS on port 465.

Port 465 is considerably more resistant to man-in-the-middle and
downgrade attacks than 587 is. A naughty middlebox might edit the EHLO
response to remote STARTTLS, so the client goes ahead without it. On
465, if it can't do the handshake and get the certificate with the
expected name, the connection fails.

-- 
Regards,
John Levine, johnl@taugh.com, Primary Perpetrator of "The Internet for Dummies",
Please consider the environment before reading this e-mail. https://jl.ly

[toc] | [prev] | [next] | [standalone]


#8293

Fromkalevi@kolttonen.fi (Kalevi Kolttonen)
Date2026-04-13 21:39 +0000
Message-ID<10rjnpr$3kp64$1@dont-email.me>
In reply to#8292
John Levine <johnl@taugh.com> wrote:
> It appears that Kalevi Kolttonen <kalevi@kolttonen.fi> said:
>>John Levine <johnl@taugh.com> wrote:
>>> Thanks, that should do it.  Just out of curiosity is
>>> there a way to tell it to do immediate TLS on port 465?
>>
>>I have no idea as I have never used port 465. I suppose
>>it is deprecated anyway, but I am not 100% sure.
> 
> It's not deprecated at all.  Every MTA I know supports it.  Even sendmail.

So it seems. It was obsoleted once, but reintroduced
in 2018 via RFC 8314. That's what Google tells me.

>>From a performance point of view, issuing STARTTLS
>>ESMTP command on port 587 makes no practical difference
>>compared to the immediate TLS on port 465.
> 
> Port 465 is considerably more resistant to man-in-the-middle and
> downgrade attacks than 587 is. A naughty middlebox might edit the EHLO
> response to remote STARTTLS, so the client goes ahead without it. On
> 465, if it can't do the handshake and get the certificate with the
> expected name, the connection fails.

I guess you are right.

br,
KK

[toc] | [prev] | [next] | [standalone]


#8294

FromHugo Villeneuve-Lapointe <hugo_villap@email.invalid>
Date2026-04-13 18:11 -0400
Message-ID<2960bm-08v2.ln1@EINTR.net>
In reply to#8292
John Levine <johnl@taugh.com> wrote:
> It appears that Kalevi Kolttonen <kalevi@kolttonen.fi> said:
>>John Levine <johnl@taugh.com> wrote:
>>> Thanks, that should do it.  Just out of curiosity is
>>> there a way to tell it to do immediate TLS on port 465?
>>
>>I have no idea as I have never used port 465. I suppose
>>it is deprecated anyway, but I am not 100% sure.
> 
> It's not deprecated at all.  Every MTA I know supports it.  Even sendmail.

How does sendmail supports it?

I know there is Flag=s in DaemonPortOptions to open a port and offer
SMTP over SSL.

But I see nothing on how sendmail connects via SMTP over SSL to
other servers in op.ps or cf/README.

Sendmail can do an automatic fallback to pure TLS?


-- 
Hugo Villeneuve-Lapointe

[toc] | [prev] | [next] | [standalone]


#8295

FromJohn Levine <johnl@taugh.com>
Date2026-04-14 00:15 +0000
Message-ID<10rk0ua$2o7t$1@gal.iecc.com>
In reply to#8294
According to Hugo Villeneuve-Lapointe  <hugo_villap@email.invalid>:
>John Levine <johnl@taugh.com> wrote:
>> It appears that Kalevi Kolttonen <kalevi@kolttonen.fi> said:
>>>John Levine <johnl@taugh.com> wrote:
>>>> Thanks, that should do it.  Just out of curiosity is
>>>> there a way to tell it to do immediate TLS on port 465?
>>>
>>>I have no idea as I have never used port 465. I suppose
>>>it is deprecated anyway, but I am not 100% sure.
>> 
>> It's not deprecated at all.  Every MTA I know supports it.  Even sendmail.
>
>How does sendmail supports it?
>
>I know there is Flag=s in DaemonPortOptions to open a port and offer
>SMTP over SSL.

That's it.  Ports 465 and 587 are for submission, from an MUA to an MSA.

In my application the old server is the submission cient and the new server
is the submission server.



-- 
Regards,
John Levine, johnl@taugh.com, Primary Perpetrator of "The Internet for Dummies",
Please consider the environment before reading this e-mail. https://jl.ly

[toc] | [prev] | [next] | [standalone]


#8296

FromHugo Villeneuve-Lapointe <hugo_villap@email.invalid>
Date2026-04-13 23:27 -0400
Message-ID<lpo0bm-8oj.ln1@EINTR.net>
In reply to#8295
John Levine <johnl@taugh.com> wrote:
> According to Hugo Villeneuve-Lapointe  <hugo_villap@email.invalid>:
>>John Levine <johnl@taugh.com> wrote:
>>> It appears that Kalevi Kolttonen <kalevi@kolttonen.fi> said:
>>>>John Levine <johnl@taugh.com> wrote:
>>>>> Thanks, that should do it.  Just out of curiosity is
>>>>> there a way to tell it to do immediate TLS on port 465?
>>>>
>>>>I have no idea as I have never used port 465. I suppose
>>>>it is deprecated anyway, but I am not 100% sure.
>>> 
>>> It's not deprecated at all.  Every MTA I know supports it.  Even sendmail.
>>
>>How does sendmail supports it?
>>
>>I know there is Flag=s in DaemonPortOptions to open a port and offer
>>SMTP over SSL.
> 
> That's it.  Ports 465 and 587 are for submission, from an MUA to an MSA.
> 
> In my application the old server is the submission cient and the new server
> is the submission server.

I'm afraid I don't think it is possible to do SMTP over SSL (port
465) between 2 sendmail servers (or I don't know how to do that).

Why everyone mentions doing it over port 587 with STARTTLS.

STARTTLS should be used automaticaly but if you want to enforce it:

if you have FEATURE(`access_db') you can add to /etc/mail/access
(and recompile after):

  # Sending to a mail server
  TLS_Srv:relay.server.domain.name	TEMP+ENCR:112
  TLS_Srv:relay.server.ip		TEMP+ENCR:112
  
  # Sending to recipient email
  # first match order: user@domain, user@, domain, ''
  TLS_Rcpt:domain.name			TEMP+ENCR:112
  # or the dangerous never send an un-encrypted email again
  #TLS_Rcpt:				TEMP+ENCR:112

See the STARTTLS section in cf/README for details (it should be
provided in your sendmail package) or:
https://fossies.org/linux/misc/sendmail.8.18.2.tar.gz/sendmail-8.18.2/cf/README?m=t


-- 
Hugo Villeneuve-Lapointe

[toc] | [prev] | [next] | [standalone]


#8297

FromClaus Aßmann <INVALID_NO_CC_REMOVE_IF_YOU_DO_NOT_POST_ml+sendmail(-no-copies-please)@esmtp.org>
Date2026-04-14 02:20 -0400
Message-ID<10rkmaq$v6t$1@news.misty.com>
In reply to#8296
Hugo Villeneuve-Lapointe  wrote:

> I'm afraid I don't think it is possible to do SMTP over SSL (port
> 465) between 2 sendmail servers (or I don't know how to do that).

Look for _FFR_SMTPS_CLIENT in the code.

[toc] | [prev] | [next] | [standalone]


#8300

FromHugo Villeneuve-Lapointe <hugo_villap@email.invalid>
Date2026-04-14 22:24 -0400
Message-ID<1f93bm-bqd1.ln1@EINTR.net>
In reply to#8297
Claus Aßmann <INVALID_NO_CC_REMOVE_IF_YOU_DO_NOT_POST_ml+sendmail(-no-copies-please)@esmtp.org> wrote:
> Hugo Villeneuve-Lapointe  wrote:
> 
>> I'm afraid I don't think it is possible to do SMTP over SSL (port
>> 465) between 2 sendmail servers (or I don't know how to do that).
> 
> Look for _FFR_SMTPS_CLIENT in the code.

Oh, missed that in my search. Thanks for the info.


-- 
Hugo Villeneuve-Lapointe

[toc] | [prev] | [next] | [standalone]


#8298

FromBjørn Mork <bjorn@mork.no>
Date2026-04-14 08:26 +0200
Message-ID<87qzoit5vb.fsf@miraculix.mork.no>
In reply to#8296
Hugo Villeneuve-Lapointe <hugo_villap@email.invalid> writes:
> John Levine <johnl@taugh.com> wrote:
>
>> That's it.  Ports 465 and 587 are for submission, from an MUA to an MSA.
>> 
>> In my application the old server is the submission cient and the new server
>> is the submission server.
>
> I'm afraid I don't think it is possible to do SMTP over SSL (port
> 465) between 2 sendmail servers (or I don't know how to do that).

Well, there is the _FFR_SMTPS_CLIENT build time feature, enabling
underscore as a F= delivery agent flag:

#if _FFR_SMTPS_CLIENT
# define M_SMTPS_CLIENT '_'     /* use SMTP over TLS (465/TCP) */
#endif

But you'll probably have to build your own sendmail binary for that.

I'd just go with STARTTLS if it was me...


Bjørn

[toc] | [prev] | [next] | [standalone]


#8299

FromJohn Levine <johnl@taugh.com>
Date2026-04-14 18:27 +0000
Message-ID<10rm0u9$2m1p$1@gal.iecc.com>
In reply to#8298
According to Bjørn Mork  <bjorn@mork.no>:
>Well, there is the _FFR_SMTPS_CLIENT build time feature, enabling
>underscore as a F= delivery agent flag:
>
>#if _FFR_SMTPS_CLIENT
># define M_SMTPS_CLIENT '_'     /* use SMTP over TLS (465/TCP) */
>#endif
>
>But you'll probably have to build your own sendmail binary for that.
>
>I'd just go with STARTTLS if it was me...

Yeah, this is a decade old server I'm trying to shut down.  Thanks, all.

-- 
Regards,
John Levine, johnl@taugh.com, Primary Perpetrator of "The Internet for Dummies",
Please consider the environment before reading this e-mail. https://jl.ly

[toc] | [prev] | [next] | [standalone]


#8289

FromAndrzej Adam Filip <anfi@onet.eu>
Date2026-04-13 21:00 +0200
Message-ID<anfi+p4fgu3umof-q4d1@wp.eu>
In reply to#8287
John Levine <johnl@taugh.com> wrote:
> I am in the process of replacining a tired old server running sendmail 8.15.2.
> Before I turn it off I want to make it send its remaining mail through the
> new server (which isn't running sendmail but that shouldn't matter.)
>
> I see the SMART_HOST macro, but I want to make it relay with ssl to port
> 465 or with STARTTLS to port 587 on the new server.  I have looked through
> the manual and if it's there, I don't see it.

MSA variant is covered in sendmail FAQ:
"How do I send using an alternate port?" [A].
Replace port 2525 used in FAQ by MSA port (587).

[A] https://www.proofpoint.com/us/sendmail/faq#v8-39

-- 
[Andrew] Andrzej A. Filip

[toc] | [prev] | [standalone]


Back to top | Article view | comp.mail.sendmail


csiph-web