6

I am trying to make postfix not to auth users on port 25 but only on 587 and using STARTTLS. I have tried may different confs, but no success so far.

main.cf:

    ...
    smtpd_sasl_auth_enable =yes
    smtpd_sasl_authenticated_header = yes
    smtpd_sasl_local_domain = $myhostname
    smtpd_sasl_security_options = noanonymous
    smtpd_sasl_type = dovecot
    broken_sasl_auth_clients = yes
    smtpd_sasl_path = private/auth
    allow_mail_to_commands = alias
    allow_mail_to_files = alias

    smtpd_data_restrictions = reject_unauth_pipelining
    smtpd_helo_required = yes

    smtpd_sender_restrictions = permit_sasl_authenticated

    smtpd_recipient_restrictions =
      reject_non_fqdn_sender,
      reject_non_fqdn_helo_hostname,
      reject_unknown_recipient_domain,
      reject_non_fqdn_recipient,
      reject_invalid_hostname,
      permit_sasl_authenticated,
      reject_unauth_destination

    smtpd_use_tls = yes
    smtp_use_tls = yes
    #smtpd_tls_security_level = may
    #smtp_tls_security_level = encrypt

    smtpd_tls_auth_only = yes
    smtpd_tls_mandatory_protocols = !SSLv3, !SSLv2
    smtp_tls_note_starttls_offer = yes
    smtpd_tls_key_file = /etc/ssl/postfix/smtpd.pem
    smtpd_tls_cert_file = /etc/ssl/postfix/smtpd.pem
    smtpd_tls_CAfile = /etc/ssl/postfix/smtpd.pem
    smtpd_tls_session_cache_timeout = 3600s
    smtpd_tls_loglevel = 1
    smtpd_tls_received_header = yes
    tls_random_source = dev:/dev/urandom
    ...

master:

    # service type  private unpriv  chroot  wakeup  maxproc command + args
    #               (yes)   (yes)   (yes)   (never) (100)
    # ==========================================================================
    smtp      inet  n       -       n       -       -       smtpd
    #  -o smtp_sasl_auth_enable=yes
    submission inet n       -       n       -       -       smtpd
    #  -o content_filter=spamassassin
      -o smtpd_tls_security_level=encrypt
    #  user=spamd argv=/usr/local/bin/spamc -f -e /usr/local/libexec/dovecot/deliver -f ${sender} -d ${recipient}
    #  -o smtpd_enforce_tls=yes
    #  -o syslog_name=postfix/submission
      -o smtpd_sasl_auth_enable=yes
    #  -o smtpd_reject_unlisted_recipient=no
    #  -o smtpd_client_restrictions=$mua_client_restrictions
      -o smtpd_client_restrictions=permit_sasl_authenticated,reject
    #  -o smtpd_helo_restrictions=$mua_helo_restrictions
    #  -o smtpd_sender_restrictions=$mua_sender_restrictions
    #  -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
    #  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
    #  -o milter_macro_daemon_name=ORIGINATING
    #smtps     inet  n       -       n       -       -       smtpd
    #  -o syslog_name=postfix/smtps
    #  -o smtpd_tls_security_level=encrypt
    #  -o smtpd_tls_wrappermode=yes
    #  -o smtpd_sasl_auth_enable=yes
    #  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
    #  -o smtpd_reject_unlisted_recipient=no
    #  -o smtpd_client_restrictions=$mua_client_restrictions
    #  -o smtpd_helo_restrictions=$mua_helo_restrictions
    #  -o smtpd_sender_restrictions=$mua_sender_restrictions
    #  -o smtpd_recipient_restrictions=
    #  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
    #  -o milter_macro_daemon_name=ORIGINATING
    #628       inet  n       -       n       -       -       qmqpd
    pickup    unix  n       -       n       60      1       pickup
    ...

Maybe, I miss something.. Thank you

Improve this question
3
  • 1
    I can understand wanting to mandate TLS - which is a good idea - but why do you care what port users do this on?
    – MadHatter
    Commented Jul 16, 2015 at 14:43
  • Can you explain about the exact problem? The term no success was vague. Can you post the relevant maillog entry and any error message?
    – masegaloeh
    Commented Jul 16, 2015 at 15:17
  • I have noticed that using thunderbird at the outgoing server settings, if I choose port 25 and security none, it accepts it without any problem. It works. All I want to do is to prevent that. Thank you for your time!
    – klimac
    Commented Jul 16, 2015 at 19:42

3 Answers 3

Reset to default
6

Add this in your master.cf:

submission inet n       -       -       -       -       smtpd
  -o smtpd_sasl_auth_enable=yes
  ...

And remove smtpd_sasl_auth_enable = yes from your main.cf leaving the default no.

Improve this answer
6
  • I have made those changes but still, I can send emails via port 25 and sec. none.
    – klimac
    Commented Jul 17, 2015 at 8:13
  • 1
    Did you reload the postfix daemon? As this works for me, could you please post the current main.cf and master.cf after the change?
    – sebix
    Commented Jul 17, 2015 at 8:42
  • Won't port 465 still work with this config? Do we need to add something like -o smtpd_tls_security_level=none to smtp inet n - y - - smtpd?
    – TCB13
    Commented Feb 11, 2018 at 21:40
  • @TCB13 totally depends on what your main.cf looks like
    – sebix
    Commented Feb 15, 2018 at 11:14
  • @sebix my config is similar to the one at the OP.
    – TCB13
    Commented Feb 16, 2018 at 2:52
-1

Please make the below change on master.conf . Comment the below line . smtp inet n - n - - smtpd

Add the below line 587 inet n - n - - smtpd

netstat -tulpan | grep -i master tcp 0 0 127.0.0.1:587 0.0.0.0:* LISTEN 7168/master

Improve this answer
1
  • 1
    How is this any better than the already-accepted answer?
    – womble
    Commented Jul 26, 2018 at 0:05
-2

In /etc/postfix/main.cf you will add/change

smtpd_tls_security_level = encrypt

This will ENFORCE the use of TLS, so that the Postfix SMTP server announces STARTTLS and accepts no mail without TLS encryption

Then, in your /etc/postfix/master.cf you will override it for port 587 (the submission port) by overriding the parameter:

submission inet n       -       n       -       -       smtpd
  -o smtpd_tls_security_level=encrypt

This requires TLS for all submission (port 587) connections.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .