Tools/email and ports

Joni · April 10, 2021, 9:43am

In https://wiki.mikrotik.com/wiki/Manual:Tools/email

there is a note

If start-tls=‘’‘tls-only’‘’, port 465 will be used

either the note is left over from a previous circumstance or it is not RFC compliant

http://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.txt
https://tools.ietf.org/html/rfc8314#section-7.3

https://www.mailgun.com/blog/which-smtp-port-understanding-ports-25-465-587/
https://sendgrid.com/blog/whats-the-difference-between-ports-465-and-587/

effectively making RouterOS a legacy system, which should default to 587.

If Mikrotik would like to deviate from this default then such separate setting should be implemented, it is up to the client (RouterOS) to refuse using a non-established TLS connection on port 587 if tls-only is checked.

When a “/tool e-mail set port” is not defined and “/tool e-mail send” is attempted there is no communication even attempted to the email server defined for “/tool e-mail send server”, however an error message of “error connecting to server (6)” is still given, so Mikrotik doesn’t seem to default to any port, when any “/tool e-mail set port” is defined it works but then port mentioned in the note for start-tls=“tls-only” is overridden by the value in “/tool e-mail get port”).

In addition to this, the Send Email tool (/tool e-mail send) in Winbox has only a TLS checkbox (not pulldown with no, tls-only, yes) which doesn’t indicate which configuration is attempted (implies tls-only). Especially as if /tool e-mail set start-tls=''no" and your “/tool e-mail send” TLS is checked it will still send the email without TLS.

anav · April 10, 2021, 10:14am

All I know is it works fine with my ISP provider??
My ISP provider requires 465 by the way.
Also my settings are start TLS=tls only

Joni · April 10, 2021, 11:05am

Yes, they are receiving email, they have to because of ignorant customers, accepting legacy setups. The difference is Mikrotik is sending and have no reason default to a legacy port which the user can override if needed.

Ignorance goes both ways.

You have to be quite much more specific. Technically 465 would explicitly be a TLS-only port so you’re not actually bringing anything to the table.

anav · April 10, 2021, 11:37am

So all you are saying is that 465 is to be no longer user for SMPT and one should use 587.
However I fail to see how this makes email traffic any more or less secure because that is what I care about more than some organization telling me what I can and cannot use ports for LOL.
If 587 was magically more secure then you would have a point. Since the ISP controls the traffic flow and they have deemed 465 to be used, who am I to say anything different.
More to the point if I use port 587 I wont be able to send mail, so I see your point but cannot follow your advice.