Порт 587 (SMTP Submission)

Port 587 (TCP) is the standard port for SMTP Submission, as defined in RFC 8314. It is used by Message Submission Agents (MSAs) to accept email from mail clients for relaying to an email server. Unlike port 25 (SMTP), which is primarily used for server-to-server email transfer, port 587 is specifically designed for client-to-server communication. This differentiation allows for stricter authentication and encryption policies to be enforced, mitigating spam and other email-based threats. Historically, port 25 was often used for both client submission and server relay, but the rise of spam necessitated a separation of roles, leading to the adoption of port 587. The protocol used on port 587 is SMTP, but it mandates the use of Message Submission, typically requiring authentication via protocols such as STARTTLS followed by SASL (Simple Authentication and Security Layer) mechanisms like PLAIN, LOGIN, or CRAM-MD5. This ensures that only authorized users can submit mail through the server.

At a technical level, when a mail client wants to send an email, it connects to the MSA on port 587. The MSA then initiates a TLS handshake using STARTTLS to establish an encrypted connection. Following successful encryption, the client authenticates using SASL, providing credentials to prove its identity. Once authenticated, the client can then send the email message to the MSA using the standard SMTP protocol verbs (MAIL FROM, RCPT TO, DATA). The MSA then relays the message to the appropriate destination mail server, either directly or through other mail relay servers. This process ensures that outgoing email is properly authenticated and encrypted, preventing unauthorized access and tampering.

## Firewall Recommendations

Port 587 should be allowed for outbound connections from internal mail clients to the organization's mail server(s). For inbound connections, port 587 should only be allowed from authorized networks or clients that require direct submission to the mail server (e.g., remote users). It is crucial to block port 587 for inbound connections from untrusted networks to prevent unauthorized email submission. Best practices include implementing strong authentication mechanisms (e.g., SASL with strong passwords or certificate-based authentication), enforcing TLS encryption with strong ciphers, and regularly updating the mail server software to patch security vulnerabilities. Rate limiting can also be implemented to prevent abuse and denial-of-service attacks. Consider using a dedicated mail gateway to filter and scan outgoing email for spam and malware.