Forwarding email ports

Mike Cardwell tor at
Mon Feb 5 21:17:03 UTC 2007

* on the Mon, Feb 05, 2007 at 09:45:20AM -0800, Michael_google gmail_Gersten wrote:

>> Nope .. 587 is an alternative to 25. Unlike the other two, it's not
>> encrypted.
> Whoops! I've taken that one off my list of ports then.

I'm not sure what was suggested is actually correct. Port 25 is for SMTP
relaying, port 587 is for SMTP submission. Port 465 is for SMTP
submission with SSL negotiation immediately on connect.

Both ports 25 and 587 can do TLS, and generally if 25 does it, 587 will
do it to.

Other issues regarding SMTP inside TOR...

If you use either 25 or 587 with TLS, the exit node will still be able to view
the plain text value of the "HELO" or "EHLO" sent by the submitting
host. This *could* allow in certain circumstances, for the exit node to
make a good guess of the originating host, for what that's worth. This is
because many MUAs use the hostname or the IP address of your machine in the
HELO. If you're behind NAT, that value may just be the RFC1918 address though.

Port 465 doesn't have this problem though as the entire conversation is
encrypted. Assuming the client doesn't accept a bad certificate and
leave themselves open to a MITM attack.

For informational purposes, port 465 was hijacked by Microsoft for Outlook
when they decided to come up with their own way of doing SMTP SSL. It has
recently been assigned by IANA for a "real" service. Check out the port

> As for blocking IP, I'm dynamic :-).

Many hosts now reject mail from dynamic IP addresses. You might want to
perform recipient callouts with rejections during the SMTP conversation,
rather than blindly accepting any mail from the TOR network and then
generating a bounce when it fails to deliver.

SMTP inside TOR has so many little issues it makes my brain hurt.


More information about the tor-talk mailing list