# postfix tls fail on port 25

## petterg

I've set up postfix with tls using this howto http://www.gentoo.org/doc/en/virt-mail-howto.xml

Everything seems to be working fine, except for TLS on port 25.

Also everything looks fine using

```
openssl s_client -starttls smtp -crlf -connect 1.2.3.4:25
```

The only thing that doesn't work is sending mail with TLS enabled using thunderbird, opera or outlook. As soon as the client is supposed to send STARTTLS, the communication freeze. As the server is set with a localy signed certificate the clients should show a warning - they don't.

So I set a portforward at the serverside.

```
iptables -p tcp -dst-port 2500 -j dnat --to-destination 1.2.3.4:25
```

Now, by changing the port at clientside the clients starts to work fine! So one would think that port 25 could be blocked in a firewall, but it's not. That is proven by a working s_client, and that smtp+authentication works fine once TLS is disabled, and the fact that my old qmailserver with TLS forced is working perfectly. (The old qmail server and the new postfix are hooked up to the same switch, adressed in the same subnet)

Does anyone have any idea of why the clients can't use TLS on port 25?

----------

## shazeal

Are you trying to use this from outside your local network? If so your ISP is probably blocking port 25. Try 465 or 587 just enable them in the master.cf. Since your saying using a forward from 2500 to 25 works it seems likely? I may be miss understanding though.

I had the same problem but on our university network where they block port 25 internally to any hosted servers as well.

----------

## petterg

If the ISP was blocking port 25 they would also be blocking port 25 to my qmail server connected to the same switch, right? Port 25 works on the qmail server with TLS switched on.

And also port 25 works with TLS switched off on the postfix server.

There is a posibility that the ISP has put a filter on port 25 that allow only unencrypted smtp unless the smtp server identifies itself as 'qmail'. I really doubt they have such a filter thou. One would think that eigther the port is open or it's closed.

----------

