On Wed, Jun 24, 2015 at 8:38 PM, Mike Perry mikeperry@torproject.org wrote:

It appears that some years ago someone quietly removed port 465 and 587 from the reduced exit policy at https://trac.torproject.org/projects/tor/wiki/doc/ReducedExitPolicy without an explanation.

these ports should only be used for user-authenticated SMTP, and not spam.

465 was originally for SMTPS relay (the pretty TLS wrapped complement to 25/SMTP relay) back when MUA's were still dumping direct to MTA's per the even older open relay model. Thus authentication was not really mandated there, nor was it universal. (Today 465 is a bastard child that should be killed).

Then STARTTLS was rolled out and 25 became able to speak both SMTP and STARTTLS SMTP (again, both with irregular authentication). With STARTTLS you'd sometimes see STARTTLS SMTP behind 465 SMTPS as a config lol (kill it).

The IETF revoked the redundant use of 465 for MTA and assigned it to SSM (killed it in the late 1990's). Spam drove 587/SUBMISSION for segregating relay use, and 25 banned relay.

587/SUBMISSION requires authentication and has effectively always used STARTTLS. It is intended to relay outbound mail from end users client MUA. (Users can still deliver to recipient if the mailpath from their IP to somewhere behind 25@recipient.dom wasn't blocked by some control freak.)

After Heartbleed and Snowden made everyone at least consider looking at their configs, usage everywhere became even more conformant but still has some way and education to go.

I'd correct 587 to say SUBMISSION (with optional blurb in parens for perpetual dummies still looking for "SMTPS" even though it isn't).

And be somewhat aware that some 465 somewhere might lack auth, just as some 25 might equivalently open relay.

Why the exit policy list perpetuates old verbage of broken SSL everywhere instead of TLS is another day.