Hi everyone,

I have postfix running on an Ubuntu system, handling the e-mail for a handful of users. Currently I tell people to send e-mail using SMTP with authentication on port 587 with TLS enabled - which is what I want.

However the server also accepts mail on port 25 with authentication and no TLS. I want to change this so port 25 is used only for my server to receive mail from elsewhere (other servers). I want my users to be able to send on port 587 with TLS etc. ONLY.

Please can someone tell me how to do this? I think i need to tweak my master.cf but i'm not sure exactly how. Here it is:

#
# Postfix master process configuration file. For details on the format
# of the file, see the Postfix master(5) manual page.
#
# ================================================== ========================
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (yes) (never) (100)
# ================================================== ========================
smtp inet n - - - - smtpd
#submission inet n - - - - smtpd
# -o smtpd_etrn_restrictions=reject
# -o smtpd_client_restrictions=permit_sasl_authenticate d,reject
smtps inet n - n - - smtpd -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes
#submission inet n - - - - smtpd
# -o smtpd_etrn_restrictions=reject
# -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes
#628 inet n - - - - qmqpd
pickup fifo n - - 60 1 pickup
cleanup unix n - - - 0 cleanup
qmgr fifo n - n 300 1 qmgr
#qmgr fifo n - - 300 1 oqmgr
tlsmgr unix - - - 1000? 1 tlsmgr
rewrite unix - - - - - trivial-rewrite
bounce unix - - - - 0 bounce
defer unix - - - - 0 bounce
trace unix - - - - 0 bounce
verify unix - - - - 1 verify
flush unix n - - 1000? 0 flush
proxymap unix - - n - - proxymap
smtp unix - - - - - smtp
# When relaying mail as backup MX, disable fallback_relay to avoid MX loops
relay unix - - - - - smtp
-o fallback_relay=
# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq unix n - - - - showq
error unix - - - - - error
discard unix - - - - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - - - - lmtp
anvil unix - - - - 1 anvil
scache unix - - - - 1 scache

587 inet n - n - - smtpd -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes

(there's some other non-Postfix stuff at the bottom but I don't think that's relevant).

thanks in advance for the help!

Richard

Please can someone help me...? *please*...?

thanks!

I am looking to do basically the same thing.

Anyone know if it is possible to have postfix listen on two ports with independent options?

Frankly i dont understand why one would want a setup like this, the reason why STARTTLS was invented was for port 25 to be able to receive both normal unencrypted connections and also enable clients to do relaying with SMTP-AUTH with TLS encryption.

The proper setup for a mail server is run only one port with SMTP auth only advertised if your connection is TLS encrypted. Meaning when you issue a HELO to the server you will not see auth advertised. A EHLO will tell you to STARTTLS to gain access to SMTP-AUTH. Only after STARTTLS do you gain access to SMTP-AUTH

I'm personally not as worried about the TLS situation, but moreso just looking to have postfix listen on a port in addition to 25 for smtp traffic but to ONLY allow e-mail to be received on this port if the user has authenticated.

I use an external spam/virus filtering service and have my server firewalled to only allow incoming port 25 traffic from the service's servers.

I would like my users to utilize a seperate port, but for this port to not become another means of spam to enter my server.

I'm not sure whether spammers in the wild are using alternative submission ports?

Not sure if this helps rtg20, but maybe you might want to consider doing a gateway server.

-Your gateway will only receive on port 25 and checks your main server if the recipient exist before it relays to the main server. No other ports are open for entry for this server.

-Your users sends through the main server on port 587.

Now your main server will only receive and not authenticate on port 25. Your gateway server has no users to authenticate for sasl.

Just a thought, not sure how your setup is. Hope this helps.

Take a look at this site http://dkimproxy.sourceforge.net/postfix-outbound-howto.html, it should help you a lot.

I used it to create a postfix server listening on ports 25 and 587 (submission). Port 25 is unsecured and non-forwarding, port 587 only accepts secured connections.

I needed this mostly for security. Quite a lot of companies block port 25 outgoing from their networks, so a standard has emerged for 587 as the secure smtp port. Hopefully those same companies will realise the need to leave that port open.

Ok, nitty gritty. You need to set up your postfix as normal, and then edit 'master.cf' with some customizations for each port. Here's mine:

smtp inet n - n - - smtpd -v
submission inet n - n - - smtpd
-o smtpd_etrn_restrictions=reject
-o smtpd_sasl_type=dovecot
-o smtpd_sasl_path=private/auth
-o smtpd_sasl_auth_enable=yes
-o smtpd_reject_unlisted_sender=yes
-o smtpd_recipient_restrictions=permit_mynetworks,per mit_sasl_authenticated,reject

The submission line might already be there. You just need to uncomment it and then add '-o' lines for each configuration settings that you want to override.

I'm sorry if this is a little late, as I only recently stumbled across this thread in my own search for an answer. Since I came across this thread, I presume that other people searching for an answer to this problem will also, so I will reply if not for you, then for the others.

Michael.

Thanks for the reply. Unfortunately, I was unable to get your solution to work - my server still accepted mail for other domains on port 25.

Maybe the solution is to simply disable authentication on port 25..?

Here's my master.cf:

===
#
# Postfix master process configuration file. For details on the format
# of the file, see the Postfix master(5) manual page.
#
# ================================================== ========================
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (yes) (never) (100)
# ================================================== ========================
smtp inet n - - - - smtpd
#submission inet n - - - - smtpd
# -o smtpd_etrn_restrictions=reject
# -o smtpd_client_restrictions=permit_sasl_authenticate d,reject
smtps inet n - n - - smtpd -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes
#submission inet n - - - - smtpd
# -o smtpd_etrn_restrictions=reject
# -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes
#628 inet n - - - - qmqpd
pickup fifo n - - 60 1 pickup
cleanup unix n - - - 0 cleanup
qmgr fifo n - n 300 1 qmgr
#qmgr fifo n - - 300 1 oqmgr
tlsmgr unix - - - 1000? 1 tlsmgr
rewrite unix - - - - - trivial-rewrite
bounce unix - - - - 0 bounce
defer unix - - - - 0 bounce
trace unix - - - - 0 bounce
verify unix - - - - 1 verify
flush unix n - - 1000? 0 flush
proxymap unix - - n - - proxymap
smtp unix - - - - - smtp
# When relaying mail as backup MX, disable fallback_relay to avoid MX loops
relay unix - - - - - smtp
-o fallback_relay=
# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq unix n - - - - showq
error unix - - - - - error
discard unix - - - - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - - - - lmtp
anvil unix - - - - 1 anvil
scache unix - - - - 1 scache

587 inet n - n - - smtpd -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes

===

I think I could improve this dumping the 587 line at the end and putting those options on the submission line (I didn't know that submission was 587 when I set this up!) and also making the smtp and submission lines chrooted. However, I am still uncertain how to solve my problem.

swindmill, did you get it to work...?

Thanks,

Richard

Here is my main.cf as well. I think I can identify more specifically what you need.

myhostname = ws1.node.example.com
mydomain = node.example.com
mynetworks = 127.0.0.1/32
mydestination = ws1.node.example.com localhost
inet_interfaces = ws1.node.example.com 127.0.0.1
virtual_alias_maps = hash:/vhosts/etc/postfix/virtual_alias_maps
virtual_gid_maps = hash:/vhosts/etc/postfix/virtual_gid_maps
virtual_uid_maps = hash:/vhosts/etc/postfix/virtual_uid_maps
virtual_mailbox_domains = hash:/vhosts/etc/postfix/virtual_mailbox_domains
virtual_mailbox_maps = hash:/vhosts/etc/postfix/virtual_mailbox_maps
virtual_mailbox_base = /vhosts/maildirs
smtpd_sender_login_maps = hash:/vhosts/etc/postfix/smtpd_sender_login_maps


smtpd_helo_required = yes

smtpd_recipient_restrictions = reject_invalid_hostname, reject_non_fqdn_hostname, reject_non_fqdn_sender, reject_unauth_pipelining, reject_unauth_destination, reject_unknown_hostname, reject_unknown_sender_domain, reject_unknown_client, permit_auth_destination, check_policy_service unix:postgrey/socket, reject_rbl_client xbl.spamhaus.org, reject


And again for completeness, the relevant part of master.cf.

submission inet n - n - - smtpd
-o smtpd_etrn_restrictions=reject
-o smtpd_sasl_type=dovecot
-o smtpd_sasl_path=private/auth
-o smtpd_sasl_auth_enable=yes
-o smtpd_reject_unlisted_sender=yes
-o smtpd_recipient_restrictions=permit_mynetworks,per mit_sasl_authenticated,reject


Whether you are running virtual mailboxes or local, the key here is the line 'smtpd_recipient_restrictions'. There are lots of directives like that in postfix, and lots of advice you can read about which ones to use, but for a start stick to just this one. Learn about the rest later here http://www.postfix.org/SMTPD_ACCESS_README.html.

You can see that in main.cf I have 'smtpd_recipient_restrictions' set with things like 'reject_*' to reject messages that fail various checks, and I have 'permit_auth_destination' which allows locally delivered mail. Everything else is rejected. This is the baseline, nothing but locally deliverable mail.

Now we move on to 'master.cf'. Once you have your 'main.cf' right you could almost copy what I have (at your risk obviously). But again here the key is 'smtpd_recipient_restrictions', which is set to 'permit_mynetworks' so that local senders can forward mail (you may not want this), but more importantly 'permit_sasl_authenticated', which allows authenticated users. All other email is rejected. This overrides the setting in main.cf.

All in, this means that the standard SMTP service on port 25 will use the default setting of local delivery only, and the SMTP service on the submission port 587 will override the setting to only allow authenticated senders.

I hope this helps...

Thanks for the reply, it didn't work - didn't accept mail on 587; I didn't test the behaviour on 25.

I tried only changing main.cf (by adding the last two lines of your main.cf) and although the server responded on 587 it refused to accept the mail (relay access prohibited or something like that).

Fortunately I kept backups of my old config, and I think I managed to get it to work by changing master.cf thus

smtp inet n - - - - smtpd
-o smtpd_enforce_tls=no -o smtpd_sasl_auth_enable=no

(I added the options on the second line; compare with my previous post - no options were present before)

I have sent myself a bunch of test mails, including from hotmail.com - they all got through. any comments...?

thanks,

Richard

rgt20,

can you post your full main.cf

I want to setup port 587 for smtp without auth and tls

I'm having trouble with some people not being able to connect to smtp because ISP is blocking port 25.

Please help me out.

here you are...

I'm probably not the best person to ask for help though.

Why do you want 587 *without* auth and tls...?

Modern MUAs support that stuff and it is much more secure. Also once your users have got it working then it's no extra work for them to use (compared with no auth or tls).

Richard

# See /usr/share/postfix/main.cf.dist for a commented, more complete version


# Debian specific: Specifying a file name will cause the first
# line of that file to be used as the name. The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname

smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

# TLS parameters
smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key
smtpd_use_tls = yes
smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache

# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.

myhostname = hairy.orang-utan.com
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = hairy.orang-utan.com, localhost.orang-utan.com, , localhost
relayhost =
mynetworks = 127.0.0.0/8
# mailbox_size_limit = 0

mailbox_size_limit = 209715200

recipient_delimiter = +
inet_interfaces = all


smtpd_sasl_auth_enable = yes


smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain =
smtpd_sasl_application_name = smtpd
broken_sasl_auth_clients = yes

smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject _unauth_destination


smtpd_tls_security_level = may

smtp_use_tls = yes


smtp_tls_note_starttls_offer = yes
smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom


virtual_alias_maps = hash:/etc/postfix/virtual

virtual_alias_domains = orang-utan.com
message_size_limit = 104857600


sender_bcc_maps = hash:/etc/postfix/sender_bcc
recipient_bcc_maps = hash:/etc/postfix/recipient_bcc

# reject_unknown_client_hostname = no


# default_process_limit = 200
# smtpd_peername_lookup = no

rtg20

I meant the master.cf file but I got everything working now.

I'm still using auth and tls on port 587.

I just wanted to test something out but It works well with auth and tls so I'm keeping it.

Thanks,

Paul