Default setting for ESMTPA (SMTPAuth) looks to me like this:
- port 25: accepts AUTH for Plain text and STARTTLS
- port 587: accepts AUTH ONLY for STARTTLS
Can you confirm this?
With default iRedMail setting, both port 25 and 587 accept AUTH only for STARTTLS, no plain text.
My old device which is not able to encrypt with STARTLS did successfully submit the email on port 25.
*) Which version of iRedMail are you running? (check file /etc/iredmail-release).
*) Do you have 'smtpd_tls_auth_only=yes' in /etc/postfix/main.cf? this is default setting in iRedMail.
How about allow "plain text" and STARTLS on port 587 and disable Auth on port 25? ... And if we talk about postscreen (future iremail release) port 25 can't be used anymore for submission.
Bad idea to enable plain text (on any port which may send/receive sensitive data). Why not force to be secure (with STARTTLS) by default?
If you really need a port which allows plain text, add a new entry in /etc/postfix/master.cf with a non-standard port number and use it internally.
And you're right that we are going to enable postscreen on port 25 in the future, so port 25 will be used for server-to-server communication and not used for sending email by your user.
No STARTLS for SMTP on port 25 and SSL/TLS Socket connection on port 465 is depreciated, correct?
Again, with current iRedMail release (v0.9.2), STARTTLS on port 25 is supported and enabled by default.
Port 465 - SMTP over SSL (not TLS or STARTTLS) - is deprecated and not enabled in iRedMail by default.
Secure communication between MTA's is still a dream because of incompatibility?
You can enable this, but you may face some incompatibility issue due to some MTAs (not yours) don't support it, or not properly/fully support it.