AutoFix POP3 and SMTP Port / TLS Settings

What is the MailMan.AutoFix property?

Protocols such as POP3, SMTP, FTP, IMAP, etc. that sit atop SSL/TLS in the protocol stack, can establish TLS connections in one of two ways:  explicit or implicit.

Implicit SSL/TLS means that immediately after the TCP connection is established, it is implicitly known that client and server will begin with the TLS handshake.

Explicit SSL/TLS means that after the TCP connection is established, the higher-level protocol conversation (such as POP3 or SMTP) begins on the unprotected TCP connection.  The SSL/TLS connection is established when the client sends the protocol specific command to convert the connection to SSL/TLS.  For SMTP, the command is “STARTTLS”.  For POP3 the command is “STLS”.

There are customary ports (de-facto standards) for each protocol that define whether the connection behavior should be: no security (i.e. plain TCP), implicit TLS, or explicit TLS.

For example, the standard SMTP ports are:

  • SMTP port 25 – No protection, but also capable of explicit TLS if server has the “STARTTLS” capability.
  • SMTP port 587 – Explicit TLS
  • SMTP port 465 – Implicit TLS

The standard POP3 ports are:

  • POP3 port 110 – No protection or explicit TLS.
  • POP3 port 995 – Implicit TLS

If a server listens on a non-standard port, then we can’t infer anything about the connection behavior.

If your system administrator configures a mail server that behaves differently, such as expecting implicit TLS on port 587, then he’s just making life difficult for everybody and incorrectly thinks that somehow he’s increasing the security of the system by being sneaky.

The MailMan.AutoFix property is to auto-fix user mistakes in MailMan properties regarding the connection behavior.

For example, if  MailMan.SmtpPort = 587, then MailMan.StartTLS should be True, and MailMan.SmtpSsl should be False, because the convention for port 587 is to initially connect with plain TCP and then send a STARTTLS command to convert to TLS.

AutoFix will automatically fix the StartTLS and SmtpSsl properties based on the port number.  (It will not automatically fix to make a connection insecure — i.e. to automatically set both StartTLS and SmtpSsl to False.)

Likewise for POP3.