-
I just went through the process of migrating my email to cloudron and discovered a number of doc issues, feedback, and possible improvements. Most are small but thought I'd share.
-
The docs say port 25 is required. Given 587 is used for SMTP(STARTTLS) can 25 be safely blocked inbound if we don't want to allow clients to connect to it?
-
The Security Doc incorrectly states IMAPS as being on 443 under "cloud firewall".
-
The security docs also claim SMTP(25/587) require authentication. I have noticed disabling login on an email client still allows connection. Is this how it's suppose to be, or should this reject any un-authenticated connection attempt? What I haven't checked is if it allows sending, I'm assuming it blocks sending as stated?
-
SMTP via TLS: STARTTLS can be encrypted but theoretically not guaranteed. SMTP via TLS requires encryption and encrypts the entire conversation as opposed to starting in plain text. It'd be nice if SMTP via TLS was supported on port 465.
-
RFC-6186: defines SRV DNS records for mail service discovery. It would be nice if cloudron created relevant SRV records for it's email services.
Thanks for the good work Cloudron team.
-
-
25 is required for recieving email from other servers, definitely important.
-
@moonmeister said in Email Thoughts:
The docs say port 25 is required. Given 587 is used for SMTP(STARTTLS) can 25 be safely blocked inbound if we don't want to allow clients to connect to it?
Port 25 is primarily used for server to server communication (AKA submission port) 587 is primarily used for clients.
SMTP via TLS: STARTTLS can be encrypted but theoretically not guaranteed. SMTP via TLS requires encryption and encrypts the entire conversation as opposed to starting in plain text. It'd be nice if SMTP via TLS was supported on port 465.
Yes, using SSL/TLS on 465 would be ideal and is an excellent point to bring up.
The security docs also claim SMTP(25/587) require authentication. I have noticed disabling login on an email client still allows connection.
Yes the connection can be made, however if you attmept to send an email, it will fail saying "550 - Authentication required" (or something along those lines.) Also note, this is NORMAL behavior.
RFC-6186: defines SRV DNS records for mail service discovery. It would be nice if cloudron created relevant SRV records for it's email services.
I agree, this would be VERY nice to have. You can, however, create most of these on your own too if you would like them right now. SRV records in this instance does not require any configuration on the server to be able to use them with clients (With the exception of a couple records for autoconfig which will require server side configuration.)
The Security Doc incorrectly states IMAPS as being on 443 under "cloud firewall".
Though you are correct, 443 is not the port used here (993 is), technically speaking, any port can be used for this TCP connection (though would need to be manually configured in Dovecot). Note: 993 is the default port for IMAPS.
I hope this helps answer some of the questions you had! Welcome to the Cloudron community!
-
My point of the 443 port issue was so ya'll could fix the docs. I have manually setup SRV records, that's why I thought it'd be nice to automatically set them up. Also, I meant to put this under discussion, not sure how it ended up in support. Thanks.
