# MTA Port 25 Security

## skiwarz

I'm setting up my own email server, and I've "discovered" something strange. From what I understand, mail transfer agents (MTAs) communicate with each other only on port 25. Smtp is unsecured, leading me to understand that messages could be plainly read if you captured the data.

I'm aware that ports 587 and 465 are used when transferring messages between the email client and the server. But between MTAs, is there any security?

The only reasonable way I see to secure mail in this case is to encrypt it with pre-shared keys, but that would make things terribly difficult in most emailing situations.

----------

## eccerr0r

Yeah that's the way it goes.  People should be relying on end to end encryption anyway (e.g. GPG) versus encrypted links, especially if that server needs to relay and it would thus need to have all keys to other machines contacted.

One would hope the servers are on 'secure' networks but the NSA will get you anyway... Lots of other forms of communication out there, just don't choose a relaying service.

----------

## papahuhn

MTAs can use STARTTLS.

----------

## szatox

oh, I bet MTAs can use TLS.

Still, as long as you don't controll every single point along the line you must assume the line is not secure (even with TLS server itself can see the content of message).

For messages you want to keep private it's pretty much "go gpg or go home"

The bright side is setting up gpg is easy.

The dark side is making the other guy set it (and use it) is not.

----------

## skiwarz

They can use STARTTLS over port 25? Better question - Do any major MTAs (gmail, yahoo, hotmail, etc) actually use STARTTLS for this type of connection? Should I even bother setting up my server to use it for MTA-MTA communication?

----------

## papahuhn

 *skiwarz wrote:*   

> They can use STARTTLS over port 25? Better question - Do any major MTAs (gmail, yahoo, hotmail, etc) actually use STARTTLS for this type of connection? Should I even bother setting up my server to use it for MTA-MTA communication?

 

```
me@nexus:~ netcat alt2.gmail-smtp-in.l.google.com 25

220 mx.google.com ESMTP d8si1220911pat.120 - gsmtp

EHLO nexus

250-mx.google.com at your service, [1.2.3.4]

250-SIZE 35882577

250-8BITMIME

250-STARTTLS

250-ENHANCEDSTATUSCODES

250-CHUNKING

250 SMTPUTF8

me@nexus:~ netcat mta6.am0.yahoodns.net 25

220 mta1572.mail.ne1.yahoo.com ESMTP ready

EHLO nexus

250-mta1572.mail.ne1.yahoo.com

250-PIPELINING

250-SIZE 41943040

250-8BITMIME

250 STARTTLS

```

It won't hurt if you allow TLS to be used.

----------

## szatox

Actually it's pretty hard to make your server forward emails to other servers. They often simply refuse to talk.

In best case you need correct DNS records. In many others you must be on their white list (yeah, pretty dumb spam filter)

TLS between servers is a minor issue and little benefit , since there aer still weak points along the line

----------

## skiwarz

Hmm... Yeah I'm able to send and receive mail from google, microsoft, and yahoo addresses (that's all I've tested with). I guess that's pretty fortunate, since I haven't done much to set it up. Maybe I'll just forget about MTA-MTA security then. Thanks for the help.

----------

## Duncan Mac Leod

We are using DNSSEC and DANE (https://www.tlsa.info/ for testing) as additional security...

http://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions

http://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities

----------

## nativemad

You could also force postfix to only allow tls encrypted traffic...

See http://www.postfix.org/postconf.5.html#smtp_tls_security_level

Cheers

----------

