Postfix: disable authentication through port 25

When using Postfix and IMAP on a mailserver, at least 3 ports are usually opened

25 smtp   : incoming emails from anybody (whole internet)
465 smtps : outgoing emails from authorized users (to the whole intenet)
993 imap  : imap for authorized users

I would like to configure postfix, so that authorized users can only send email through 465. By default this is not so. Users can also use STARTTLS over port 25. I would like to disable that.

My plan is to use port 25 for the public sending me email

use port 465 for my users (I can use firewall to allow specific IP ranges, or use custom port)

This would prevent port 25 being exploitable from brute force attacks, where hackers try to guess user/password. Port 25 simply would not accept user/password, even if it were valid. And since port 465 is restricted by firewall, hackers cannot exploit 465 either.

Is this possible in Postfix?

I am using Postfix 2.9.6-2 on Debian Wheezy

Answers:

Thank you for visiting the Q&A section on Magenaut. Please note that all the answers may not help you solve the issue immediately. So please treat them as advisements. If you found the post helpful (or not), leave a comment & I’ll get back to you as soon as possible.

Method 1

WARNING:
The request does not follow best security practice because you disable TLS (encryption) on your main mail relay port, exposing data sent through that port to third-party listeners and/or in-flight modification. The answer below satisfies the request, but best practice requires STARTTLS for the port 25 connection as well.

The master.cf file (usually /etc/postfix/master.cf) controls the startup and configuration of specific Postfix services. A configuration like this in that file, according to the documentation, will do what you want:

smtp  inet  n  -  -  -  -  smtpd
  -o smtpd_tls_security_level=none
  -o smtpd_sasl_auth_enable=no

smtps inet  n  -  -  -  -  smtpd
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject

This configuration turns off authentication and the STARTTLS option on port 25. It turns on the STARTTLS option on port 465, requires STARTTLS usage, enables authentication, and only allows clients to connect if authenticated.

You might also look into the smtpd_tls_wrappermode option to force true TLS connections (and not STARTTLS connections).

Note that this kind of configuration can make the Postfix configuration somewhat difficult to follow (options may be set in main.cf and then overridden in master.cf). The other option is to run multiple instances of Postfix, each with their own main.cf configuration files that specify these options.


All methods was sourced from stackoverflow.com or stackexchange.com, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0

0 0 votes
Article Rating
Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments