port 25 blocked

[parilo]

I'm trying to use Stalwart on VPS and my provider have blocked 25 port, is there any way to make MTA to MTA work? I don't want to use relays or external services because they will have access to the mail content (is it correct?)

[zatricky]

Port 25 is the only workable port for MTA-to-MTA smtp traffic. If your provider is blocking it and you insist you don't want relay/external service, then you need to ask them to unblock it or you need to move to another provider.

Port 465 (smtps) could in theory work for some mails - but that depends on a lot of factors. It assumes a) that Stalwart supports that in any way (doubt), b) that your provider isn't also blocking port 465, and c) that other MTAs ever bother with 465. Even assuming a) and b), the factor from c) means most mail will not be delivered anyway.

Port 587 is for authenticated smtp, which is for the mail client and not for MTA-to-MTA traffic. MTAs will never attempt to deliver via this port.

[pepa65]

If your provider has blocked port 25, they have most likely blocked your incoming port 25, to prevent you from running an open SMTP server that the whole internet could use to send mail. Apparently nowadays mail is supposed to be submitted to SMTP servers on port 587 (with STARTTLS), but I don't know how common that is. Another accepted practice is to submit on port 465 (TLS). Historically, port 2525 has emerged as a workaround for blocked ports 25, but I don't know if any MTA's still use it. It would be unencrypted (like port 25). If those ports are not blocked by your provider, you might receive mail, but not sure if you will receive all of it.

As you mentioned relay services, they would commonly be used by you to send mail, and are not affected by any block of incoming port 25. You would want to use outgoing port 587 (or 465) to submit mail to a relay service, or whatever they specify/require. As you cannot know what they run when receiving your submission, you should assume they are able to access the content of your mails.

[parilo]

They don't block incoming, so I can receive mail, I cannot send. I haven't found any way to change outgoing mail port in Stalwart from 25 to anything. Also I don't want to use relay since it gives access to my mail to the third party (I suppose the relay will have my mail unencrypted)

[pepa65]

I would expect you should be able to always send on 587, because that will use encryption. Most relays expect submission on port 587 or 465 and all common ones allow it. But you don't know what happens after a relay has received your mail -- mostly it should be fine (I use a sending relay myself), but they really could access your content...

[zatricky]

At first I thought OP was trying to figure out incoming mail on a custom port - but now I see it is for outbound mail.

Port 587 is for authenticated mail submission only. Mail submission is where an email application like Thunderbird submits mail to your mail server that you have credentials for. If the recipient is on a remote domain, the mail server will then act as an MTA by forwarding the mail on to the receiving MX servers which are listening for connections on port 25.

The fact that port 587 typically enforces encryption does not mean the mail will be accepted without credentials.

MX servers (MTAs) will not accept incoming mail on that port without authentication. Many MX servers only listen on 25 and do not support authentication at all, acting only as antispam filters that forward the mail internally. If you happen to customise your MTA to accept these mails, that doesn't help the scenario that OP wants to send mail to other domains where they simply reject the unauthenticated attempts.