Support implicit / direct TLS

[KnudH]

Currently Postal only suports explicit TLS (STARTTLS).

Implicit TLS is more secure and the prefered way by the most clients today.

It would be awesome if postal would support implicit TLS.

[willpower232]

Ah yes that is the wording I was missing. This should definitely become a thing but it hasn't been a problem so far apart from that one MFP apparently. I think there would need to be a different port involved with some slightly different code to achieve this but I'm not sure on the priorities at the minute.

[zdeneksvarc]

Irony is not an appropriate response. Indeed, implicit TLS SMTP Submission is often the only choice for outbound SMTP for many of the applications we work with. STARTLS is simply not supported. Whether due to avoiding STARTTLS stripping attacks or laziness.

Please pay brief attention to these points from RFC8314 (2018):

• https://tools.ietf.org/html/rfc8314#section-3.3
• https://tools.ietf.org/html/rfc8314#appendix-A

Postal in version 2 continues to do a great job. It's an unnecessary weakness that implicit TLS SMTP Submission on port 465 is not supported.

[zdeneksvarc]

Alright guys, let's try to solve the implicit TLS outside of the Postal codebase. Such a solution is available immediately and does not bother the development of the Postal server.

We can think of at least three options

• stunnel
• Nginx Plus / Nginx Open Source (--with-mail and --with-mail_ssl_module)
• caddy with SMTP Proxy Module (in the future)

If you can think of other ways, please share them.

I have tried Stunnel to my satisfaction so far. I'll post the configuration and some tips in a separate thread.

[MexHigh]

Second that! It's weird that Postal doesn't follow the conventions of the three well-known SMTP ports (25 for always unencrypted submission, 465 for unencrypted in encrypted TLS ("implicit TLS") and 587 for default unencrypted with STARTTLS ("explicit TLS")).

As a security consultant, I can confirm that using implicit TLS is more secure, especially when used between SMTP servers. Please consider adding this or give us a heads-up on where to start so we can open up a pull request ourselfs!