Port 25 is looking good for me too! Thanks.
I looked into tls briefly. My understanding is that a typical expectation for mail servers is:
- port 25: try to upgrade via starttls; server decides whether non-upgraded sessions are allowed
- port 465: smtp over tls
- port 587: like port 25, but require tls upgrading
The port 465 standard does seem like it could work if the port was available: I set up a tls handler on another port and got mail through with swaks --tls-sni myapp.fly.dev --tlsc .... That flag was only recently added to swaks, though, so I have no idea how common it is for mail clients to actually do sni.
Ports 25 and 587 seem like they would work if I managed certs myself. Conceptually it seems simple to have something periodically write certs to a fly secret, but I’m fuzzy on the details. Doing an acme http challenge from my app on fly seems hairy since I’d need to serve smtp and http from one image, right? Or maybe I could run something externally that uses a dns challenge? Access to the raw TLS certs via the Fly API would also solve this, I think.