Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
Tutorials and FAQs
»
Basic question about port aliases
« previous
next »
Print
Pages: [
1
]
Author
Topic: Basic question about port aliases (Read 1391 times)
gctwnl
Jr. Member
Posts: 60
Karma: 0
Basic question about port aliases
«
on:
November 25, 2022, 01:55:22 pm »
Opnsense newbie here (coming from EdgeOS)
Suppose I create a single port alias for both ports 25 and 587 (smtp server). Kan I simplify my rules by using this in both destination port and redirect target port?
I doubt this would work because
a destination port
range
from 25,587 to 25,587 is weird
a redirect target port
range
of 25,587 looks ambiguous
So both behaviours would require quite a bit of intelligence (though it is possible to have something like "if the port exists at both ends of the rule, leave port as is") of the algorithm and besides the UI's wording ('range') suggests this doesn't work. But I thought I can always check as it would make life a lot easier when setting things up
Logged
phoenix
Hero Member
Posts: 545
Karma: 58
Re: Basic question about port aliases
«
Reply #1 on:
November 25, 2022, 03:23:36 pm »
Port 25 is the default port for SMTP servers and Port 587 is the Submission port. I would suggest you leave them as two separate ports and you should also read this article:
https://www.sparkpost.com/blog/what-smtp-port/
Logged
Regards
Bill
gctwnl
Jr. Member
Posts: 60
Karma: 0
Re: Basic question about port aliases
«
Reply #2 on:
November 26, 2022, 11:41:13 am »
OK, I was probably not clear in asking. I understand smtp/submission. I was just wondering if OPNsense was smart enough to have a single NAT rule for both ports in one go. I.e. a NAT rule where the redirect port is something like 'same as destination port' or where a set of two ports can be mapped in another set of two ports (array mapping).
Off topic:
Note, the article on sparkpost contains wide-spread outdated information on port 465. Port 465 is actually (per 2018) again a designated port for secure submission. See
https://datatracker.ietf.org/doc/html/rfc8314#section-3.3
and
https://datatracker.ietf.org/doc/html/rfc8314#section-7.3
https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers#cite_note-tcp465-86
:
TCP port 465 was originally assigned to allow the use of SMTP over SSL (SMTPS), but practical concerns meant that it was left unused and according to the registration rules at that time was subsequently revoked and eventually re-assigned for use by Cisco's URD protocol. Subsequently, port 587 was assigned as the SMTP submission port, but was initially in plaintext, with encryption eventually provided years later by the STARTTLS extension. At the same time, the subsequent adoption of the usage of 465 as an SSL-enabled SMTP submission port, even though that the original registration did not envision that usage and despite the fact that it was registered to another service has endured. Subsequently, RFC 8314, in a special exemption to the normal assignment process as defined by RFC 6335, has acknowledged the de-facto situation and has designated SMTP over TLS as an 'alternate usage assignment'.
Basically that means that you might use 587 for 'voluntary TLSSTART' and 465 for 'enforced TLSSTART'.
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
Tutorials and FAQs
»
Basic question about port aliases