Closes: #40995

service/email.md

@@ -11,14 +11,16 @@ In general, you can configure your email client with the following
 SMTP settings:
 
  * Server name: `submission.torproject.org`
- * Port: `587`
- * Connection security: `STARTTLS`
+ * Port: `465`
+ * Connection security: `TLS`
  * Authentication method: `Normal password`
  * User Name: your LDAP username **without** the `@torproject.org`
    part, e.g. in my case it is `anarcat`
  * Password: LDAP email password set on the [LDAP dashboard](https://db.torproject.org/update.cgi)
 
-`TLS` connection security, on port `465` is supported and encouraged.
+If your client fails to connect in the above configuration, try
+`STARTTLS` security on port `587` which is often open when port 465 is
+blocked.
 
 ## Setting an email password
 
@@ -46,13 +48,15 @@ settings", "Outgoing Server (SMTP)". Then click add and fill the form
 with:
 
  * Server name: `submission.torproject.org`
- * Port: `587`
- * Connection security: `STARTTLS`
+ * Port: `465`
+ * Connection security: `TLS`
  * Authentication method: `Normal password`
  * User Name: (your LDAP username, e.g. in my case it is `anarcat`,
  **without** the `@torproject.org` part)
 
-`TLS` connection security, on port `465` is supported and encouraged.
+If your client fails to connect in the above configuration, try
+`STARTTLS` security on port `587` which is often open when port 465 is
+blocked.
 
 Then you can set that account as the default by hitting the "Set
 default" button, if only your `torproject.org` identity is configured
@@ -87,13 +91,15 @@ from", and this will necessarily lead to delivery problems.
  
  3. If it is, select “Server Settings”
 
-    * For `Server Port`, put `587`
+    * For `Server Port`, put `465`
     * Select `Use Secure Socket Layer (SSL)`
     * Set `Authentication` to `Password`
     * Now, enter your correct user name and your correct password.
     * Select `OK`.
 
-`TLS` connection security, on port `465` is supported and encouraged.
+If your client fails to connect in the above configuration, try
+`STARTTLS` security on port `587` which is often open when port 465 is
+blocked.
 
 ## Gmail configuration
 
@@ -124,7 +130,7 @@ a new address from scratch, the process will be a little different.
 
     - Select "Send through torproject.org SMTP servers".
     - Set "SMTP Server:" to "submission.torproject.org"
-    - Set "Port:" to 587.
+    - Set "Port:" to 465.
     - Set "Username:" to your username (_without_ "@torproject.org").
     - Set "Password:" to the email submission password that you configured.
     - Select "Use TLS", not "Use SSL".
@@ -179,7 +185,7 @@ This is how dgoulet configured his client:
     auth on
     protocol smtp
     tls on
-    port 587
+    port 465
 
     # Account: dgoulet@torproject.org
     account torproject
@@ -290,7 +296,7 @@ smarthost_torproject:
 ```
 smtp_torproject:
   driver = smtp
-  port = 587
+  port = 465
   return_path = USERNAME@torproject.org
   hosts_require_auth = *
   hosts_require_tls = *
@@ -700,7 +706,7 @@ line like this:
 Those domains are glued together in DNS with:
 
     submission              IN      CNAME   submit-01
-    _submission._tcp        IN      SRV     0 1 587 submission
+    _submission._tcp        IN      SRV     0 1 465 submission
 
 This implies there is only *one* `submission.torproject.org`, because
 one cannot have multiple `CNAME` records, of course. But it should
@@ -738,11 +744,13 @@ patches to ud-ldap which were sent (and mostly accepted) upstream.
 
 ## Services
 
-The "submission" port (587) is used in the documentation by default
-because it is typically *less* blocked by ISP firewalls than the
-"smtps" port (465), but both are supported. The TLS server is
-authenticated using the regular Let's Encrypt CA (see [TLS
-documentation](howto/tls)).
+The "submission" port (587) was previously used in the documentation
+by default because it is typically *less* blocked by ISP firewalls
+than the "smtps" port (465), but both are supported. Lately, the
+documentation has been changed for suggest port 465 first instead.
+
+The TLS server is authenticated using the regular Let's Encrypt CA
+(see [TLS documentation](howto/tls)).
 
 ## Storage