What would you do with port 465

Hi,

After upgrading to V0.55 I started getting a status check error:

Outgoing Mail (SMTP 465/postfix) is running but is not publicly accessible

This however did not affect my ability to send mail, either from inside my network as well as from the outside, as I only use port 587.

If I open up port 465 in my firewall the error goes away. But then there’s an extra hole in my firewall that I not use.

So what would you do: open up 465 and be compliant (error-free) or just close it and live with the error?

That is up to you. Ultimately, it is your server and you decide. MiaB is configured to support various standards and popular configurations, but if you feel the standard or configuration is not applicable to your use case, you do not have to follow it.

Port 465 (with the “SSL/TLS” option in most mail clients) is superior to port 587 (with “STARTTLS”) because it has a lower risk of being misconfigured by the end-user in mail application settings resulting in leaking passwords unencrypted. So in an ideal world, we’d all be using port 465 and port 587 would be retired. Now and going forward, Mail-in-a-Box lists port 465 in its mail settings instructions.

In practice, @openletter is right — it’s up to you how you want to handle it. The risk of misconfiguration is very low for existing devices. But when setting up new devices, you might consider 465 instead.

The risk of having it as an additional open port is also exceedingly low since it offers almost exactly the same service as port 587.

3 Likes

So then the best way forward is to move my mail clients to 465 and plug the 587 port hole in the firewall.

That will depend a lot on the clients. You may discover a client that doesn’t support 465. Also, if the client is currently accessing mail on MiaB, then it is doing so securely. AFAICT, the security issue is related to initial misconfiguration of the client which can happen when the client is not configured per the instructions conveniently located on MiaB (which may no longer state port 587 - I still haven’t updated to 55).

I removed the 587 forward, changed my mobile and desktop mailclients to use 465 - SSL/TLS and tested the lot from inside my network as well as from the outside. Works flawless. As I’m the only user here I do not expect problems later on :slight_smile:

Thanks for your suggestions which help me understand things better!

Oh, and the update to .55 was (in my case) easier than a walk in the park (which makes you quite wet atm over here)

Of course, you mean: 55. :grinning:

Hey, when did that happen? I must have missed the notice :grinning_face_with_smiling_eyes:

1 Like

:man_facepalming:
Blocking 587 also gives an error.

Oh well, lets open 587 again then.

If you are really determined, you might at least have a couple of options.

One option is if you have an external firewall, which some of the hosting ISPs do provide, you could block 587 there and MiaB may not be able to tell.

Another option that may get overwritten is to allow 587 on the box firewall only for the box IP address, which should also pass the checks.

It’s not an error if you know the cause and it doesn’t affect operations of course. Are you going to let a desire for a tidy indicator panel reduce your security (even if not by much)?

1 Like

What can I say, I like green ticks? I opened 587 and am done with it. As stated I’m the only user of this box, so misconfigured clients are not to be expected.

Still have a complaint left about ssh not being remotely accessible; but there I draw the line :slightly_smiling_face:

1 Like

What is the problem with ssh by the way? Usual set up is to prevent password access and therefore require the secret_key on your client machine.

I have prevented password access and log in using the secret key.

The first two lines of the system status checks read:

:heavy_multiplication_x: SSH Login (ssh) is running but is not publicly accessible at my.public.ip.address:22
✓ SSH disallows password-based login.

I never understood why port 22 not being publicly accessible would be an error. Could be that MIAB normally runs on a VPS somewhere else, so you need to have access to port 22. But if you run MIAB on a private line in a DMZ behind your own firewall I do not want port 22 open.

Ah, I understand. Yes, it is usually expected that MIAB will be installed on a VPS. Digital Ocean in my case for example.