As far as port 465, see,RFC8314
Based on this RFC, both ports 465 and 587 are valid ports for an SMTP mail submission agent (MSA).
Port 465 requires negotiation of TLS/SSL at connection setup and port 587 uses STARTTLS if one chooses to negotiate TLS.
The IANA registry has been updated to allow legitimate use of port 465 for this purpose.
For an SMTP mail relay, only port 25 is used so STARTTLS is the only way to do TLS with mail relay.
@kyekiller , you should consider trying this setting (set to false) if you are going to use port 465:
DISCOURSE_SMTP_ENABLE_START_TLS: false
Commenting it out will probably not help much, since directly from the Discourse container files, the default for this setting is true; so commenting out this line, it will still be set to true:
#DISCOURSE_SMTP_ENABLE_START_TLS: true # (optional, default true)
HTH
See also (from RFC):
When a TCP connection is established for the “submissions” service (default port 465), a TLS handshake begins immediately. Clients MUST implement the certificate validation mechanism described in [RFC7817]. Once the TLS session is established, Message Submission protocol data [RFC6409] is exchanged as TLS application data for the remainder of the TCP connection. (Note: The “submissions” service name is defined in Section 7.3 of this document and follows the usual convention that the name of a service layered on top of Implicit TLS consists of the name of the service as used without TLS, with an “s” appended.) The STARTTLS mechanism on port 587 is relatively widely deployed due to the situation with port 465 (discussed in Section 7.3). This differs from IMAP and POP services where Implicit TLS is more widely deployed on servers than STARTTLS. It is desirable to migrate core protocols used by MUA software to Implicit TLS over time, for consistency as well as for the additional reasons discussed in Appendix A. However, to maximize the use of encryption for submission, it is desirable to support both mechanisms for Message Submission over TLS for a transition period of several years. As a result, clients and servers SHOULD implement both STARTTLS on port 587 and Implicit TLS on port 465 for this transition period. Note that there is no significant difference between the security properties of STARTTLS on port 587 and Implicit TLS on port 465 if the implementations are correct and if both the client and the server are configured to require successful negotiation of TLS prior to Message Submission.
Note, there are two TLS related default settings from the Discourse defaults:
# smtp authentication mechanism
smtp_authentication = plain
# enable TLS encryption for smtp connections
smtp_enable_start_tls = true
# mode for verifying smtp server certificates
# to disable, set to 'none'
smtp_openssl_verify_mode =
# force implicit TLS as per RFC 8314 3.3
smtp_force_tls = false
See also: