SMTP Authentication
During a conversation with the ShmooGroup I wrote up this explaination of the various options for providing SSL or authentication options to SMTP services. Currently there are three "official" ways of doing this:
- SMTPS
Lives on port 465 and only supports SMTP over SSL connections. I typically provide this on my mail servers via inetd/stunnel as a way to get around providers who block port 25 to stop spammers. I don't worry about SmtpAuth because as of yet the spammers haven't discovered this (note: if you are setting up a server I don't recommend this as I have a feeling this easy option is about to end). However assuming you have a an SMTP daemon listening on port 25 you can set this up with a one liner in /etc/inetd.conf:
ssmtp stream tcp nowait root /usr/sbin/stunnel stunnel -n smtp -r localhost:smtp
- STARTTLS
Works on port 25 as an extension to the SMTP protocol. It allows SMTP clients to negotiate an encrypted session by issuing the STARTTLS command at the beginning of a normal SMTP session. This was the "right" way to do it until providers started blocking port 25 willy nilly as a way of blocking spammers.
- MSA/SUBMISSION
The new "right" way is to use the MSA (Mail Submission Agent?) on port 587, and most modern MTA's support it out of the box. MSA is an attempt to separate client-to-server SMTP from server-to-server SMTP. In the new model clients should only talk to servers via port 587 with STARTTLS/SmtpAuth support. This leaves port 25 relegated to server-to-server communications. The advantage of this is that port 25 can have facisist restrictions on who it will send mail for.