I understand that there are several options to choose from when using an e-mail server. E.g. 25 and 587 for opt-in encryption and 465 for enforced encryption.
docker-mailserver, a popular docker mailserver container describes ports 587, 465, 143 and 993 specifically as submission and retrieval ports.
The actual server to server communication is apparently established using port 25 on both sides.
Is this a common implementation?
My understanding until now was, that the actual communication (for outgoing emails) is done over port 587 or 465.
Encouraged by the exposed-port explanation of the above mentioned container I now figured that the whole retrival, submission and transfer process works (extremely simplified) like this:
Use port 25,465 or 587 to send email from client to transmitting mailserver.
The transmitting mailserver sends the email over port 25 to the recipients mailserver.
The recipient then receives the email on port 143 or 993 from his/her mailserver (assumed IMAP/s is used) and shows it accordingly in his/her mail client.
Is this correct? If so, is it even possible to send emails from a mailserver whose ISP blocked port 25 that users of common mail services like GMail, Yahoo etc. can receive?
This is more of a network administration question, than a programming question, so may be considered off topic. That being said:
The SMTP protocol is used for two different, but similar purposes: Message Submission, and Message Transmission.
Message Submission is done by an MSA, Message Submission Agent, generally on behalf of an end user, but perhaps on behalf of a script or process. Traditionally, these are clients like Thunderbird, Apple Mail, or the email client on your phone. In modern practice, this is generally done authenticated (with user credentials) and encrypted on ports 465 or 587.
SMTPS (smtp-secure, by analogy with https) is technically deprecated, but widely used. It is used for SMTP over TLS, where the connection is encrypted immediately upon connecting until termination.submission is generally used with STARTTLS, where the connection is first made unencrypted, but upgraded shortly thereafter using a special command.Both these ports generally accept mail from a user with credentials, for any destination, and will hold and relay these for the user. For example, if you connect to smtp.gmail.com on port 465 or 587, and authenticate as [email protected], it will allow you to submit email for anyone, as long as it is from [email protected].
Message Transmission is done by an MTA, Message Transmission Agent, generally on behalf of all the users of a site or service. Relaying is done between sites on port 25, with opt-in STARTTLS encryption. Authentication is not generally done, but there is a complicated system of reputation tracking, firewalls, and blacklists generally used behind the scenes. Usually only mail for a specific site is accepted on this port. For example, if you connect to one of gmail.com's MX servers (for example, gmail-smtp-in.l.google.com as of this writing) on port 25, and it thinks you are a trustworthy IP, it will accept mail from anyone to any gmail address (subject to further scanning). It will refuse to relay to anyone offsite.
Message Retrieval is generally done by IMAP on ports 143 (with STARTTLS) or 993 (with TLS from connection). This is a pull service used by an end-user (generally) to retrieve emails being held by an MTA on their behalf. POP3 is also used (on 110 and 995) by some sites, but it is a much less capable protocol.
Traditionally, submission and transmission were both done on port 25 without authentication, but that's a no go on the modern internet. It was split into transmission and submission so network resources could be better controlled. As you may have discovered, many ISPs and cloud services restrict port 25 so end-users cannot act as transmitters without their consent, and so relaying happens either through their servers or some other service that will take responsibility.
This, through this model, gmail users can generally only submit via gmail's submission server, and other users must submit through their services server, and spammers can't just set up a server anywhere to transmit messages to gmail. If they do and their ISP hasn't firewalled it, their reputation will shortly be trashed and be placed on many blacklists.
Additionally, a lot of this doesn't even happen over the traditional protocols anymore. If you use Google services and clients, you will likely be using a custom protocol tunneled over HTTPS, or the public GMAIL REST protocol. If you're using Microsoft, they have no less than 3 email protocols: Exchange ActiveSync, Exchange Web Services, and Microsoft Graph/Outlook MAIL Rest API, all using HTTPS.