[MlMt] 143 or 993 . . . and security

[Benny Kjær Nielsen]

On 23 Jan 2020, at 10:35, Marc ARC wrote:

> At first we thought we’ll use port 993 since this is secure. But 
> then we realised that port 143 can also be secure with StartTLS.
> Or is 993 better since it secures before communicating and is it 
> future proof ?

Port 993 mainly exists for historical reasons. Personally, I would keep 
both ports open and make sure that the use of STARTTLS is required for 
port 143. If you close one of these ports then it'll likely affect users 
at some point when configuring an email client which either defaults to 
143 or 993 (or it might even not support both).

> And with SMTP we are confronted with a choice 25 or 465 or 587 ? We 
> prefer 587 since it requires AUTH . . . but what about the security

Port 587 is the standard for email submission (email client sending an 
email) and is equivalent to 143 for IMAP (it uses STARTTLS). Port 465 is 
a mess (Microsoft), but some email clients might still expect it to work 
(Microsoft). Port 465 is kind of equivalent to port 993, but in practice 
I've seen servers using port 465 with STARTTLS making it behave like 
port 587.

You'll also need port 25 because this is the standard port used when 
SMTP servers talk to eachother.

In a perfect world, only ports 25, 143 and 587 would exist.

> We have been googling but can’t seem to find the mail between the 
> ports
>
> Thanks in advance for your thoughts and reflections,

You'll probably get other opinions, but the important part is to ensure 
that it's not possible to communicate on any port without encryption 
enabled (with or without STARTTLS).

Security-wise, it is more important that you look into which TLS 
protocols you allow on the server, but I'm not qualified to make any 
recommendations on that: 
https://en.wikipedia.org/wiki/Transport_Layer_Security

-- 
Benny