OPNsense Forum

English Forums => Tutorials and FAQs => Topic started by: gctwnl on November 25, 2022, 01:55:22 pm

Title: Basic question about port aliases
Post by: gctwnl on November 25, 2022, 01:55:22 pm

Opnsense newbie here (coming from EdgeOS)

Suppose I create a single port alias for both ports 25 and 587 (smtp server). Kan I simplify my rules by using this in both destination port and redirect target port?

I doubt this would work because

• a destination port range from 25,587 to 25,587 is weird
• a redirect target port range of 25,587 looks ambiguous

So both behaviours would require quite a bit of intelligence (though it is possible to have something like "if the port exists at both ends of the rule, leave port as is") of the algorithm and besides the UI's wording ('range') suggests this doesn't work. But I thought I can always check as it would make life a lot easier when setting things up

Title: Re: Basic question about port aliases
Post by: phoenix on November 25, 2022, 03:23:36 pm

Port 25 is the default port for SMTP servers and Port 587 is the Submission port. I would suggest you leave them as two separate ports and you should also read this article: https://www.sparkpost.com/blog/what-smtp-port/

Title: Re: Basic question about port aliases
Post by: gctwnl on November 26, 2022, 11:41:13 am

OK, I was probably not clear in asking. I understand smtp/submission. I was just wondering if OPNsense was smart enough to have a single NAT rule for both ports in one go. I.e. a NAT rule where the redirect port is something like 'same as destination port' or where a set of two ports can be mapped in another set of two ports (array mapping).

Off topic:

Note, the article on sparkpost contains wide-spread outdated information on port 465. Port 465 is actually (per 2018) again a designated port for secure submission. See https://datatracker.ietf.org/doc/html/rfc8314#section-3.3 (https://datatracker.ietf.org/doc/html/rfc8314#section-3.3) and https://datatracker.ietf.org/doc/html/rfc8314#section-7.3 (https://datatracker.ietf.org/doc/html/rfc8314#section-7.3)

https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers#cite_note-tcp465-86 (https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers#cite_note-tcp465-86):
TCP port 465 was originally assigned to allow the use of SMTP over SSL (SMTPS), but practical concerns meant that it was left unused and according to the registration rules at that time was subsequently revoked and eventually re-assigned for use by Cisco's URD protocol. Subsequently, port 587 was assigned as the SMTP submission port, but was initially in plaintext, with encryption eventually provided years later by the STARTTLS extension. At the same time, the subsequent adoption of the usage of 465 as an SSL-enabled SMTP submission port, even though that the original registration did not envision that usage and despite the fact that it was registered to another service has endured. Subsequently, RFC 8314, in a special exemption to the normal assignment process as defined by RFC 6335, has acknowledged the de-facto situation and has designated SMTP over TLS as an 'alternate usage assignment'.

Basically that means that you might use 587 for 'voluntary TLSSTART' and 465 for 'enforced TLSSTART'.