IMAP on a mailserver, at least 3 ports are usually opened
25 smtp : incoming emails from anybody (whole internet) 465 smtps : outgoing emails from authorized users (to the whole intenet) 993 imap : imap for authorized users
I would like to configure postfix, so that authorized users can only send email through 465. By default this is not so. Users can also use STARTTLS over port 25. I would like to disable that.
My plan is to use port 25 for the public sending me email
use port 465 for my users (I can use firewall to allow specific IP ranges, or use custom port)
This would prevent port 25 being exploitable from brute force attacks, where hackers try to guess user/password. Port 25 simply would not accept user/password, even if it were valid. And since port 465 is restricted by firewall, hackers cannot exploit 465 either.
Is this possible in Postfix?
I am using Postfix 2.9.6-2 on Debian Wheezy
Thank you for visiting the Q&A section on Magenaut. Please note that all the answers may not help you solve the issue immediately. So please treat them as advisements. If you found the post helpful (or not), leave a comment & I’ll get back to you as soon as possible.
The request does not follow best security practice because you disable TLS (encryption) on your main mail relay port, exposing data sent through that port to third-party listeners and/or in-flight modification. The answer below satisfies the request, but best practice requires STARTTLS for the port 25 connection as well.
master.cf file (usually
/etc/postfix/master.cf) controls the startup and configuration of specific Postfix services. A configuration like this in that file, according to the documentation, will do what you want:
smtp inet n - - - - smtpd -o smtpd_tls_security_level=none -o smtpd_sasl_auth_enable=no smtps inet n - - - - smtpd -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject
This configuration turns off authentication and the STARTTLS option on port 25. It turns on the STARTTLS option on port 465, requires STARTTLS usage, enables authentication, and only allows clients to connect if authenticated.
You might also look into the
smtpd_tls_wrappermode option to force true TLS connections (and not STARTTLS connections).
Note that this kind of configuration can make the Postfix configuration somewhat difficult to follow (options may be set in
main.cf and then overridden in
master.cf). The other option is to run multiple instances of Postfix, each with their own
main.cf configuration files that specify these options.