@VioletDragon said in HAProxy / Lets Encrypt / Postfix - Dovecot:
That's not true. SMTP 465 is deprecated. Should use 587 Submission.
If I read this : What SMTP port should be used? Port 25 or 587? and I compare that with the very first phrase from RFC 8314 stating the very obvious ( is it ? ) "Cleartext Considered Obsolete: Use of Transport Layer Security (TLS) for Email Submission and Access" I see a conflict.
Port 587 is initiated using clear text.
Port 465 is TLS (before known as SSL) from byte 0.
So : in 2024, we have to go back to a partial 'clear' message exchange ? I'm not sure about that ^^
Example : I hope to shut down in the nearby future all "port 80" ports for all my web server. It will become "port 443" only. Non pure https (TLS) traffic for web server is dead.
(Ok, I agree, maybe not this decade yet ^^ )
But, this isn't really an issue, as mails dropped from our mail clients (people I know), on our mail server is not really "Public Internet thing". I as an admin can decide how mails get dropped by the MUA as I see fit.
This port can't be used by the 'public', only by the known mail clients, the ones that have an account == a mail addresses + password with this mail server.
My own opinion is : everything goes TLS these days, "no more 'in the clear' text streams'.
( the major exception is : DNS resolving, as our 13 main DNS root servers still "don't do TLS" [for understandable $$$$ reasons] )
Btw Submission 587 dates from somewhere in the last century, and 465, using SSL and now TLS, is far more recent. IMHO : more logic to use.
I still expose port 587 as an 'mail drop' entry point on on mail server, but the STARTTLS is mandatory, is has to be asserted by the client, if not : no access. So why even initiating this a clear text initial handshake ? I went 100 % TLS == port 465 - all the way right from the start.
The only things that needs to 100 % compliant RFC is port 25 : I still (have to) accept clear (non TLS) mails, as some mail server don't do TLS, or have their setup wrong. Working with certificates is still not main stream knowledge these days.
I also send, ones in a while, clear mails, as the destination doesn't accept 'TLS' - also strange.
Btw : my mail server is hosted on a dedicated bare bone iron case, somewhere in a data center in Paris. It has it own pool of IPv4 and IPv6 (for all my individual domain names) and it's not behind a firewall worth mentioning.
That said : ip(4/6)tables is used by fail2ban to keep the mail/web/etc abusers out of the door for a while.
I started this server using Debian Lenny, way, way in the past. Debian 11.9 Bullseye today (I know, I should upgrade).
I'm not a proxy user neither, as I don't have to hide several hosts (domains) behind one IP over a single upstream connection.