From: "Peter Moylan" <ecs-isp@2rosenthals.com>
Received: from [192.168.100.201] (HELO mail.2rosenthals.com)
  by 2rosenthals.com (CommuniGate Pro SMTP 5.4.10)
  with ESMTPS id 7892035 for ecs-isp@2rosenthals.com; Thu, 14 Sep 2023 04:22:52 -0400
Received: from secmgr-va.2rosenthals.com ([50.73.8.217]:60327 helo=mail2.2rosenthals.com)
	by mail.2rosenthals.com with esmtps  (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.96)
	(envelope-from <peter@pmoylan.org>)
	id 1qghcW-0001uP-2L
	for ecs-isp@2rosenthals.com;
	Thu, 14 Sep 2023 04:22:42 -0400
Received: from pmoylan.org ([144.6.37.71]:50454 helo=mail.pmoylan.org)
	by mail2.2rosenthals.com with esmtp (Exim 4.96)
	(envelope-from <peter@pmoylan.org>)
	id 1qghcK-0003Ob-2p
	for ecs-isp@2rosenthals.com;
	Thu, 14 Sep 2023 04:22:32 -0400
X-SASI-Hits: BODYTEXTP_SIZE_3000_LESS 0.000000, BODY_ENDS_IN_URL 0.000000,
	BODY_SIZE_2000_2999 0.000000, BODY_SIZE_5000_LESS 0.000000,
	BODY_SIZE_7000_LESS 0.000000, CTE_7BIT 0.000000, DKIM_ALIGNS 0.000000,
	DKIM_SIGNATURE 0.000000, HTML_00_01 0.050000, HTML_00_10 0.050000,
	IN_REP_TO 0.000000, KNOWN_MSGID 0.000000, LEGITIMATE_SIGNS 0.000000,
	MSG_THREAD 0.000000, NO_URI_HTTPS 0.000000, REFERENCES 0.000000,
	SENDER_NO_AUTH 0.000000, SINGLE_URI_IN_BODY 0.000000, SUSP_DH_NEG 0.000000,
	TO_IN_SUBJECT 0.500000, __ANY_URI 0.000000, __BODY_NO_MAILTO 0.000000,
	__BOUNCE_CHALLENGE_SUBJ 0.000000, __BOUNCE_NDR_SUBJ_EXEMPT 0.000000,
	__CP_URI_IN_BODY 0.000000, __CT 0.000000, __CTE 0.000000,
	__CT_TEXT_PLAIN 0.000000, __DC_PHRASE 0.000000, __DKIM_ALIGNS_1 0.000000,
	__DKIM_ALIGNS_2 0.000000, __DQ_NEG_DOMAIN 0.000000, __DQ_NEG_HEUR 0.000000,
	__DQ_NEG_IP 0.000000, __FORWARDED_MSG 0.000000, __FRAUD_URGENCY 0.000000,
	__FUR_HEADER 0.000000, __HAS_FROM 0.000000, __HAS_MSGID 0.000000,
	__HAS_REFERENCES 0.000000, __HEADER_ORDER_FROM 0.000000,
	__IN_REP_TO 0.000000, __MAIL_CHAIN 0.000000, __MIME_BOUND_CHARSET 0.000000,
	__MIME_TEXT_ONLY 0.000000, __MIME_TEXT_P 0.000000, __MIME_TEXT_P1 0.000000,
	__MIME_VERSION 0.000000, __MOZILLA_MSGID 0.000000,
	__MOZILLA_USER_AGENT 0.000000, __NO_HTML_TAG_RAW 0.000000,
	__RCVD_FROM_DOMAIN 0.000000, __REFERENCES 0.000000, __SANE_MSGID 0.000000,
	__SCAN_D_NEG 0.000000, __SCAN_D_NEG2 0.000000, __SCAN_D_NEG_HEUR 0.000000,
	__SCAN_D_NEG_HEUR2 0.000000, __SINGLE_URI_TEXT 0.000000,
	__SUBJ_ALPHA_END 0.000000, __SUBJ_ALPHA_NEGATE 0.000000,
	__SUBJ_REPLY 0.000000, __TO_IN_SUBJECT 0.000000, __TO_MALFORMED_2 0.000000,
	__TO_NAME 0.000000, __TO_NAME_DIFF_FROM_ACC 0.000000,
	__TO_REAL_NAMES 0.000000, __URI_IN_BODY 0.000000, __URI_MAILTO 0.000000,
	__URI_NOT_IMG 0.000000, __URI_NO_PATH 0.000000, __URI_NS 0.000000,
	__URI_WITHOUT_PATH 0.000000, __USER_AGENT 0.000000
X-SASI-Probability: 9%
X-SASI-RCODE: 200
X-SASI-Version: Antispam-Engine: 5.1.1, AntispamData: 2023.9.14.75716
X-SASI-Hits: BODYTEXTP_SIZE_3000_LESS 0.000000, BODY_ENDS_IN_URL 0.000000,
	BODY_SIZE_2000_2999 0.000000, BODY_SIZE_5000_LESS 0.000000,
	BODY_SIZE_7000_LESS 0.000000, CTE_7BIT 0.000000, DKIM_ALIGNS 0.000000,
	DKIM_SIGNATURE 0.000000, HTML_00_01 0.050000, HTML_00_10 0.050000,
	IN_REP_TO 0.000000, KNOWN_MSGID 0.000000, LEGITIMATE_SIGNS 0.000000,
	MSG_THREAD 0.000000, NO_URI_HTTPS 0.000000, REFERENCES 0.000000,
	SENDER_NO_AUTH 0.000000, SINGLE_URI_IN_BODY 0.000000, SUSP_DH_NEG 0.000000,
	TO_IN_SUBJECT 0.500000, __ANY_URI 0.000000, __BODY_NO_MAILTO 0.000000,
	__BOUNCE_CHALLENGE_SUBJ 0.000000, __BOUNCE_NDR_SUBJ_EXEMPT 0.000000,
	__CP_URI_IN_BODY 0.000000, __CT 0.000000, __CTE 0.000000,
	__CT_TEXT_PLAIN 0.000000, __DC_PHRASE 0.000000, __DKIM_ALIGNS_1 0.000000,
	__DKIM_ALIGNS_2 0.000000, __DQ_NEG_DOMAIN 0.000000, __DQ_NEG_HEUR 0.000000,
	__DQ_NEG_IP 0.000000, __FORWARDED_MSG 0.000000, __FRAUD_URGENCY 0.000000,
	__FUR_HEADER 0.000000, __HAS_FROM 0.000000, __HAS_MSGID 0.000000,
	__HAS_REFERENCES 0.000000, __HEADER_ORDER_FROM 0.000000,
	__IN_REP_TO 0.000000, __MAIL_CHAIN 0.000000, __MIME_BOUND_CHARSET 0.000000,
	__MIME_TEXT_ONLY 0.000000, __MIME_TEXT_P 0.000000, __MIME_TEXT_P1 0.000000,
	__MIME_VERSION 0.000000, __MOZILLA_MSGID 0.000000,
	__MOZILLA_USER_AGENT 0.000000, __NO_HTML_TAG_RAW 0.000000,
	__RCVD_FROM_DOMAIN 0.000000, __REFERENCES 0.000000, __SANE_MSGID 0.000000,
	__SCAN_D_NEG 0.000000, __SCAN_D_NEG2 0.000000, __SCAN_D_NEG_HEUR 0.000000,
	__SCAN_D_NEG_HEUR2 0.000000, __SINGLE_URI_TEXT 0.000000,
	__SUBJ_ALPHA_END 0.000000, __SUBJ_ALPHA_NEGATE 0.000000,
	__SUBJ_REPLY 0.000000, __TO_IN_SUBJECT 0.000000, __TO_MALFORMED_2 0.000000,
	__TO_NAME 0.000000, __TO_NAME_DIFF_FROM_ACC 0.000000,
	__TO_REAL_NAMES 0.000000, __URI_IN_BODY 0.000000, __URI_MAILTO 0.000000,
	__URI_NOT_IMG 0.000000, __URI_NO_PATH 0.000000, __URI_NS 0.000000,
	__URI_WITHOUT_PATH 0.000000, __USER_AGENT 0.000000
X-SASI-Probability: 9%
X-SASI-RCODE: 200
X-SASI-Version: Antispam-Engine: 5.1.1, AntispamData: 2023.9.14.75716
DKIM-Signature: v=1; q=dns/txt; c=relaxed/relaxed; a=rsa-sha256;
 bh=o5DtY/VzNQ1KLW7Dlx4+Y5Fxz4SwEyaDPXw4b9Hfuow=; d=pmoylan.org;
 h=From:To:Subject:Date; s=default;
 b=N+VPBWZpNlMvqvfQgfi5KYs6W6G/iCUSvu3SlGpxlx/RpgSbqNPzPL0fAn6Q2IwVuCFgzSPC
 MGTjHHF/SjIPZsdlHrrAF0Ea1FI0DMJwV6Ff0POiZAXEJQHVfx4PwoQvadcozqBq/3S4c56MZi
 4QTMTiaR9T6F5YwYAtxMlGznQ=
Received: from [192.168.20.3] (peter.pmoylan.org [192.168.20.3]) by 
 mail.pmoylan.org (Weasel v2.848) for <ecs-isp@2rosenthals.com>; 
 14 Sep 2023 18:22:20 +1000
Subject: Re: [eCS-ISP] stunnel 5.58 help
To: eCS ISP Mailing List <ecs-isp@2rosenthals.com>
References: <list-7891916@2rosenthals.com> <list-7892024@2rosenthals.com>
Message-ID: <6502C2BB.8080807@pmoylan.org>
Date: Thu, 14 Sep 2023 18:22:19 +1000
User-Agent: Mozilla/5.0 (OS/2; Warp 4.5; rv:38.0) Gecko/20100101
 Thunderbird/38.8.0
MIME-Version: 1.0
In-Reply-To: <list-7892024@2rosenthals.com>
Content-Type: text/plain; charset=iso-8859-15; format=flowed
Content-Transfer-Encoding: 7bit



On 14/09/23 17:33, Massimo S. wrote:
>
>
> Il 14/09/2023 03:21, Steven Levine ha scritto:
>> In <list-7891460@2rosenthals.com>, on 09/13/23
>>     at 08:46 PM, "Massimo S." <ecs-isp@2rosenthals.com> said:
>>
>> Hi,
>>
>>> i don't want to buy a certificate SSL
>>
>> There's always Let's Encrypt.  The only downside is the expire 
>> relatively
>> quickly so you need to refresh the script more often than a purchased
>> script.
>
> i use LE on apache, but a cert. that expire each 3 months don't put 
> thunderbird or other mail clients (outlook, smartphones etc.) out of 
> work?
> i mean the user don't receive new mails and have to do something to 
> accept the new cert.?
>
>>> should i use IJ fw to port fwd the 587 to something like 33333 :) do i
>>> will allways reach 587 port from the inside LAN here?
>>
>> I'm not sure I understand how you envision your setup or the full 
>> scope of
>> your problem.  The user's are going to submit via 587.  Are you 
>> saying you
>> want to port forward to 33333 internaally have have Weasel list to 
>> 33333.
>> That can work, but what's the downside of passing port 587 through to 
>> the
>> server running the weasel instance?
>>
>> Steven
>
> no, i don't want to expose port 587 to the world
> i want to use another "strange" port like 33333, 44444, 55555 etc.
>
> in about 20 years that i manage servers over the internet i've learned 
> that moving ports
> reduce the possibilities of hackers' attacks
>

If you set up your mail server to accept mail on port 33333, that will 
work, but only if you tell all your clients to change their mail 
programs to use that port. Most probably, at least half of them won't 
know how to do that, so you'd have to go around configuring their 
software for them. You probably won't want to do that.

If instead you keep accepting mail on port 587, you could do some 
internal juggling, e.g. with Injoy, to switch that to a different port 
inside the server, but there's no advantage in doing that, because you 
are again exposing port 587 to the world.

The bottom line is that you must make port 587 visible to your clients, 
and once you do that then hackers can also get to that port, unless you 
do something unusual like putting all of your clients on a VPN.

-- 
Peter Moylan                         http://www.pmoylan.org