Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > comp.mail.sendmail > #8287 > unrolled thread
| Started by | John Levine <johnl@taugh.com> |
|---|---|
| First post | 2026-04-13 18:28 +0000 |
| Last post | 2026-04-13 21:00 +0200 |
| Articles | 14 — 6 participants |
Back to article view | Back to comp.mail.sendmail
SMART_HOST to port 465 or 587? John Levine <johnl@taugh.com> - 2026-04-13 18:28 +0000
Re: SMART_HOST to port 465 or 587? kalevi@kolttonen.fi (Kalevi Kolttonen) - 2026-04-13 18:33 +0000
Re: SMART_HOST to port 465 or 587? John Levine <johnl@taugh.com> - 2026-04-13 19:28 +0000
Re: SMART_HOST to port 465 or 587? kalevi@kolttonen.fi (Kalevi Kolttonen) - 2026-04-13 20:18 +0000
Re: SMART_HOST to port 465 or 587? John Levine <johnl@taugh.com> - 2026-04-13 21:14 +0000
Re: SMART_HOST to port 465 or 587? kalevi@kolttonen.fi (Kalevi Kolttonen) - 2026-04-13 21:39 +0000
Re: SMART_HOST to port 465 or 587? Hugo Villeneuve-Lapointe <hugo_villap@email.invalid> - 2026-04-13 18:11 -0400
Re: SMART_HOST to port 465 or 587? John Levine <johnl@taugh.com> - 2026-04-14 00:15 +0000
Re: SMART_HOST to port 465 or 587? Hugo Villeneuve-Lapointe <hugo_villap@email.invalid> - 2026-04-13 23:27 -0400
Re: SMART_HOST to port 465 or 587? Claus Aßmann <INVALID_NO_CC_REMOVE_IF_YOU_DO_NOT_POST_ml+sendmail(-no-copies-please)@esmtp.org> - 2026-04-14 02:20 -0400
Re: SMART_HOST to port 465 or 587? Hugo Villeneuve-Lapointe <hugo_villap@email.invalid> - 2026-04-14 22:24 -0400
Re: SMART_HOST to port 465 or 587? Bjørn Mork <bjorn@mork.no> - 2026-04-14 08:26 +0200
Re: SMART_HOST to port 465 or 587? John Levine <johnl@taugh.com> - 2026-04-14 18:27 +0000
Re: SMART_HOST to port 465 or 587? Andrzej Adam Filip <anfi@onet.eu> - 2026-04-13 21:00 +0200
| From | John Levine <johnl@taugh.com> |
|---|---|
| Date | 2026-04-13 18:28 +0000 |
| Subject | SMART_HOST to port 465 or 587? |
| Message-ID | <10rjcjs$23i1$1@gal.iecc.com> |
I am in the process of replacining a tired old server running sendmail 8.15.2. Before I turn it off I want to make it send its remaining mail through the new server (which isn't running sendmail but that shouldn't matter.) I see the SMART_HOST macro, but I want to make it relay with ssl to port 465 or with STARTTLS to port 587 on the new server. I have looked through the manual and if it's there, I don't see it. TIA -- Regards, John Levine, johnl@taugh.com, Primary Perpetrator of "The Internet for Dummies", Please consider the environment before reading this e-mail. https://jl.ly
[toc] | [next] | [standalone]
| From | kalevi@kolttonen.fi (Kalevi Kolttonen) |
|---|---|
| Date | 2026-04-13 18:33 +0000 |
| Message-ID | <10rjcuh$3h4e3$1@dont-email.me> |
| In reply to | #8287 |
John Levine <johnl@taugh.com> wrote: > I am in the process of replacining a tired old server running sendmail 8.15.2. > Before I turn it off I want to make it send its remaining mail through the > new server (which isn't running sendmail but that shouldn't matter.) > > I see the SMART_HOST macro, but I want to make it relay with ssl to port > 465 or with STARTTLS to port 587 on the new server. I have looked through > the manual and if it's there, I don't see it. I am not sure which one of these you need. I have set both and my Sendmail connects to smart host's TCP port 587. define(`ESMTP_MAILER_ARGS', `TCP $h 587')dnl define(`RELAY_MAILER_ARGS', `TCP $h 587')dnl Sendmail will use STARTTLS automatically as long as your receiving server advertises to support it. br, KK
[toc] | [prev] | [next] | [standalone]
| From | John Levine <johnl@taugh.com> |
|---|---|
| Date | 2026-04-13 19:28 +0000 |
| Message-ID | <10rjg51$2kmm$1@gal.iecc.com> |
| In reply to | #8288 |
According to Kalevi Kolttonen <kalevi@kolttonen.fi>: >I am not sure which one of these you need. I have set both >and my Sendmail connects to smart host's TCP port 587. > >define(`ESMTP_MAILER_ARGS', `TCP $h 587')dnl >define(`RELAY_MAILER_ARGS', `TCP $h 587')dnl > >Sendmail will use STARTTLS automatically as long as >your receiving server advertises to support it. Thanks, that should do it. Just out of curiosity is there a way to tell it to do immediate TLS on port 465? -- Regards, John Levine, johnl@taugh.com, Primary Perpetrator of "The Internet for Dummies", Please consider the environment before reading this e-mail. https://jl.ly
[toc] | [prev] | [next] | [standalone]
| From | kalevi@kolttonen.fi (Kalevi Kolttonen) |
|---|---|
| Date | 2026-04-13 20:18 +0000 |
| Message-ID | <10rjj1u$3j7e1$1@dont-email.me> |
| In reply to | #8290 |
John Levine <johnl@taugh.com> wrote: > Thanks, that should do it. Just out of curiosity is > there a way to tell it to do immediate TLS on port 465? I have no idea as I have never used port 465. I suppose it is deprecated anyway, but I am not 100% sure. From a performance point of view, issuing STARTTLS ESMTP command on port 587 makes no practical difference compared to the immediate TLS on port 465. br, KK
[toc] | [prev] | [next] | [standalone]
| From | John Levine <johnl@taugh.com> |
|---|---|
| Date | 2026-04-13 21:14 +0000 |
| Message-ID | <10rjmbc$lpm$1@gal.iecc.com> |
| In reply to | #8291 |
It appears that Kalevi Kolttonen <kalevi@kolttonen.fi> said: >John Levine <johnl@taugh.com> wrote: >> Thanks, that should do it. Just out of curiosity is >> there a way to tell it to do immediate TLS on port 465? > >I have no idea as I have never used port 465. I suppose >it is deprecated anyway, but I am not 100% sure. It's not deprecated at all. Every MTA I know supports it. Even sendmail. >From a performance point of view, issuing STARTTLS >ESMTP command on port 587 makes no practical difference >compared to the immediate TLS on port 465. Port 465 is considerably more resistant to man-in-the-middle and downgrade attacks than 587 is. A naughty middlebox might edit the EHLO response to remote STARTTLS, so the client goes ahead without it. On 465, if it can't do the handshake and get the certificate with the expected name, the connection fails. -- Regards, John Levine, johnl@taugh.com, Primary Perpetrator of "The Internet for Dummies", Please consider the environment before reading this e-mail. https://jl.ly
[toc] | [prev] | [next] | [standalone]
| From | kalevi@kolttonen.fi (Kalevi Kolttonen) |
|---|---|
| Date | 2026-04-13 21:39 +0000 |
| Message-ID | <10rjnpr$3kp64$1@dont-email.me> |
| In reply to | #8292 |
John Levine <johnl@taugh.com> wrote: > It appears that Kalevi Kolttonen <kalevi@kolttonen.fi> said: >>John Levine <johnl@taugh.com> wrote: >>> Thanks, that should do it. Just out of curiosity is >>> there a way to tell it to do immediate TLS on port 465? >> >>I have no idea as I have never used port 465. I suppose >>it is deprecated anyway, but I am not 100% sure. > > It's not deprecated at all. Every MTA I know supports it. Even sendmail. So it seems. It was obsoleted once, but reintroduced in 2018 via RFC 8314. That's what Google tells me. >>From a performance point of view, issuing STARTTLS >>ESMTP command on port 587 makes no practical difference >>compared to the immediate TLS on port 465. > > Port 465 is considerably more resistant to man-in-the-middle and > downgrade attacks than 587 is. A naughty middlebox might edit the EHLO > response to remote STARTTLS, so the client goes ahead without it. On > 465, if it can't do the handshake and get the certificate with the > expected name, the connection fails. I guess you are right. br, KK
[toc] | [prev] | [next] | [standalone]
| From | Hugo Villeneuve-Lapointe <hugo_villap@email.invalid> |
|---|---|
| Date | 2026-04-13 18:11 -0400 |
| Message-ID | <2960bm-08v2.ln1@EINTR.net> |
| In reply to | #8292 |
John Levine <johnl@taugh.com> wrote: > It appears that Kalevi Kolttonen <kalevi@kolttonen.fi> said: >>John Levine <johnl@taugh.com> wrote: >>> Thanks, that should do it. Just out of curiosity is >>> there a way to tell it to do immediate TLS on port 465? >> >>I have no idea as I have never used port 465. I suppose >>it is deprecated anyway, but I am not 100% sure. > > It's not deprecated at all. Every MTA I know supports it. Even sendmail. How does sendmail supports it? I know there is Flag=s in DaemonPortOptions to open a port and offer SMTP over SSL. But I see nothing on how sendmail connects via SMTP over SSL to other servers in op.ps or cf/README. Sendmail can do an automatic fallback to pure TLS? -- Hugo Villeneuve-Lapointe
[toc] | [prev] | [next] | [standalone]
| From | John Levine <johnl@taugh.com> |
|---|---|
| Date | 2026-04-14 00:15 +0000 |
| Message-ID | <10rk0ua$2o7t$1@gal.iecc.com> |
| In reply to | #8294 |
According to Hugo Villeneuve-Lapointe <hugo_villap@email.invalid>: >John Levine <johnl@taugh.com> wrote: >> It appears that Kalevi Kolttonen <kalevi@kolttonen.fi> said: >>>John Levine <johnl@taugh.com> wrote: >>>> Thanks, that should do it. Just out of curiosity is >>>> there a way to tell it to do immediate TLS on port 465? >>> >>>I have no idea as I have never used port 465. I suppose >>>it is deprecated anyway, but I am not 100% sure. >> >> It's not deprecated at all. Every MTA I know supports it. Even sendmail. > >How does sendmail supports it? > >I know there is Flag=s in DaemonPortOptions to open a port and offer >SMTP over SSL. That's it. Ports 465 and 587 are for submission, from an MUA to an MSA. In my application the old server is the submission cient and the new server is the submission server. -- Regards, John Levine, johnl@taugh.com, Primary Perpetrator of "The Internet for Dummies", Please consider the environment before reading this e-mail. https://jl.ly
[toc] | [prev] | [next] | [standalone]
| From | Hugo Villeneuve-Lapointe <hugo_villap@email.invalid> |
|---|---|
| Date | 2026-04-13 23:27 -0400 |
| Message-ID | <lpo0bm-8oj.ln1@EINTR.net> |
| In reply to | #8295 |
John Levine <johnl@taugh.com> wrote: > According to Hugo Villeneuve-Lapointe <hugo_villap@email.invalid>: >>John Levine <johnl@taugh.com> wrote: >>> It appears that Kalevi Kolttonen <kalevi@kolttonen.fi> said: >>>>John Levine <johnl@taugh.com> wrote: >>>>> Thanks, that should do it. Just out of curiosity is >>>>> there a way to tell it to do immediate TLS on port 465? >>>> >>>>I have no idea as I have never used port 465. I suppose >>>>it is deprecated anyway, but I am not 100% sure. >>> >>> It's not deprecated at all. Every MTA I know supports it. Even sendmail. >> >>How does sendmail supports it? >> >>I know there is Flag=s in DaemonPortOptions to open a port and offer >>SMTP over SSL. > > That's it. Ports 465 and 587 are for submission, from an MUA to an MSA. > > In my application the old server is the submission cient and the new server > is the submission server. I'm afraid I don't think it is possible to do SMTP over SSL (port 465) between 2 sendmail servers (or I don't know how to do that). Why everyone mentions doing it over port 587 with STARTTLS. STARTTLS should be used automaticaly but if you want to enforce it: if you have FEATURE(`access_db') you can add to /etc/mail/access (and recompile after): # Sending to a mail server TLS_Srv:relay.server.domain.name TEMP+ENCR:112 TLS_Srv:relay.server.ip TEMP+ENCR:112 # Sending to recipient email # first match order: user@domain, user@, domain, '' TLS_Rcpt:domain.name TEMP+ENCR:112 # or the dangerous never send an un-encrypted email again #TLS_Rcpt: TEMP+ENCR:112 See the STARTTLS section in cf/README for details (it should be provided in your sendmail package) or: https://fossies.org/linux/misc/sendmail.8.18.2.tar.gz/sendmail-8.18.2/cf/README?m=t -- Hugo Villeneuve-Lapointe
[toc] | [prev] | [next] | [standalone]
| From | Claus Aßmann <INVALID_NO_CC_REMOVE_IF_YOU_DO_NOT_POST_ml+sendmail(-no-copies-please)@esmtp.org> |
|---|---|
| Date | 2026-04-14 02:20 -0400 |
| Message-ID | <10rkmaq$v6t$1@news.misty.com> |
| In reply to | #8296 |
Hugo Villeneuve-Lapointe wrote: > I'm afraid I don't think it is possible to do SMTP over SSL (port > 465) between 2 sendmail servers (or I don't know how to do that). Look for _FFR_SMTPS_CLIENT in the code.
[toc] | [prev] | [next] | [standalone]
| From | Hugo Villeneuve-Lapointe <hugo_villap@email.invalid> |
|---|---|
| Date | 2026-04-14 22:24 -0400 |
| Message-ID | <1f93bm-bqd1.ln1@EINTR.net> |
| In reply to | #8297 |
Claus Aßmann <INVALID_NO_CC_REMOVE_IF_YOU_DO_NOT_POST_ml+sendmail(-no-copies-please)@esmtp.org> wrote: > Hugo Villeneuve-Lapointe wrote: > >> I'm afraid I don't think it is possible to do SMTP over SSL (port >> 465) between 2 sendmail servers (or I don't know how to do that). > > Look for _FFR_SMTPS_CLIENT in the code. Oh, missed that in my search. Thanks for the info. -- Hugo Villeneuve-Lapointe
[toc] | [prev] | [next] | [standalone]
| From | Bjørn Mork <bjorn@mork.no> |
|---|---|
| Date | 2026-04-14 08:26 +0200 |
| Message-ID | <87qzoit5vb.fsf@miraculix.mork.no> |
| In reply to | #8296 |
Hugo Villeneuve-Lapointe <hugo_villap@email.invalid> writes: > John Levine <johnl@taugh.com> wrote: > >> That's it. Ports 465 and 587 are for submission, from an MUA to an MSA. >> >> In my application the old server is the submission cient and the new server >> is the submission server. > > I'm afraid I don't think it is possible to do SMTP over SSL (port > 465) between 2 sendmail servers (or I don't know how to do that). Well, there is the _FFR_SMTPS_CLIENT build time feature, enabling underscore as a F= delivery agent flag: #if _FFR_SMTPS_CLIENT # define M_SMTPS_CLIENT '_' /* use SMTP over TLS (465/TCP) */ #endif But you'll probably have to build your own sendmail binary for that. I'd just go with STARTTLS if it was me... Bjørn
[toc] | [prev] | [next] | [standalone]
| From | John Levine <johnl@taugh.com> |
|---|---|
| Date | 2026-04-14 18:27 +0000 |
| Message-ID | <10rm0u9$2m1p$1@gal.iecc.com> |
| In reply to | #8298 |
According to Bjørn Mork <bjorn@mork.no>: >Well, there is the _FFR_SMTPS_CLIENT build time feature, enabling >underscore as a F= delivery agent flag: > >#if _FFR_SMTPS_CLIENT ># define M_SMTPS_CLIENT '_' /* use SMTP over TLS (465/TCP) */ >#endif > >But you'll probably have to build your own sendmail binary for that. > >I'd just go with STARTTLS if it was me... Yeah, this is a decade old server I'm trying to shut down. Thanks, all. -- Regards, John Levine, johnl@taugh.com, Primary Perpetrator of "The Internet for Dummies", Please consider the environment before reading this e-mail. https://jl.ly
[toc] | [prev] | [next] | [standalone]
| From | Andrzej Adam Filip <anfi@onet.eu> |
|---|---|
| Date | 2026-04-13 21:00 +0200 |
| Message-ID | <anfi+p4fgu3umof-q4d1@wp.eu> |
| In reply to | #8287 |
John Levine <johnl@taugh.com> wrote: > I am in the process of replacining a tired old server running sendmail 8.15.2. > Before I turn it off I want to make it send its remaining mail through the > new server (which isn't running sendmail but that shouldn't matter.) > > I see the SMART_HOST macro, but I want to make it relay with ssl to port > 465 or with STARTTLS to port 587 on the new server. I have looked through > the manual and if it's there, I don't see it. MSA variant is covered in sendmail FAQ: "How do I send using an alternate port?" [A]. Replace port 2525 used in FAQ by MSA port (587). [A] https://www.proofpoint.com/us/sendmail/faq#v8-39 -- [Andrew] Andrzej A. Filip
[toc] | [prev] | [standalone]
Back to top | Article view | comp.mail.sendmail
csiph-web