[pfx] Re: Disabling MUA submission for smtpd on port 25

[Sad Clouds via Postfix-users]

On Thu, 26 Mar 2026 12:03:48 +0100
Patrick Ben Koetter via Postfix-users <postfix-users@postfix.org> wrote:

> There's no AUTH. Your server also should not show AUTH.

$ telnet smtp1.example.com 25
Trying 10.0.5.51...
Connected to smtp1.example.com.
Escape character is '^]'.
220 vmsrv-node1.home.lan ESMTP Postfix
EHLO cli...@example.com
250-vmsrv-node1.home.lan
250-PIPELINING
250-SIZE 10240000
250-ETRN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250-DSN
250 CHUNKING
QUIT
221 2.0.0 Bye

It looks like there is no AUTH, but for some reason I can still submit
mail on port 25 in some cases. There are two cases I'm testing:

1. When sending from us...@example.com to us...@example.com and this
domain is in virtual_mailbox_domains, then MUA submission on port 25 is
permitted. Is this normal and is there a way to disable submission
completely for port 25 and only use this port for mail relay?

2. When sending from @example.com to @gmail.com, then MUA submission
fails with "relay access denied". So in this context, does "relay"
refer to submission and how does Postfix differentiate between MTAs and
MUAs? I want to stop MUAs from using port 25 completely, since I have
different set of options and restrictions for submission.

As requested by Victor, below are the extra details:

# postconf -nf
address_verify_negative_cache = yes
address_verify_negative_expire_time = 3d
address_verify_negative_refresh_time = 60s
compatibility_level = 3.8
default_destination_concurrency_limit = 10
default_process_limit = 100
disable_vrfy_command = yes
mua_client_restrictions =
mua_data_restrictions =
mua_end_of_data_restrictions =
mua_helo_restrictions =
mua_recipient_restrictions = reject_non_fqdn_recipient
    reject_unknown_recipient_domain permit_sasl_authenticated reject
mua_relay_restrictions = permit_sasl_authenticated reject
mua_sender_restrictions = reject_sender_login_mismatch
mydestination = $myhostname localhost.$mydomain localhost
mydomain = home.lan
mynetworks = 127.0.0.0/8 [::1]/128
mynetworks_style = host
myorigin = $myhostname
parent_domain_matches_subdomains = smtpd_access_maps
postscreen_access_list = permit_mynetworks
    cidr:/etc/postfix/postscreen_access_list
postscreen_denylist_action = drop
postscreen_greet_action = drop
postscreen_greet_ttl = 1d
postscreen_greet_wait = ${stress?{2}:{6}}s
relay_domains =
smtpd_client_restrictions = permit_mynetworks
    reject_unknown_reverse_client_hostname check_client_access
    hash:/etc/postfix/smtpd_client_access
smtpd_data_restrictions = reject_multi_recipient_bounce
smtpd_delay_reject = yes
smtpd_end_of_data_restrictions = check_policy_service
    unix:private/dovecot-quota-status
smtpd_etrn_restrictions = permit_mynetworks reject
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks reject_invalid_helo_hostname
    reject_non_fqdn_helo_hostname
smtpd_recipient_restrictions = permit_mynetworks reject_unauth_pipelining
    reject_non_fqdn_recipient reject_unknown_recipient_domain
    reject_unverified_recipient
smtpd_relay_restrictions = permit_mynetworks reject_unauth_destination
smtpd_sasl_auth_enable = no
smtpd_sender_login_maps = hash:/etc/postfix/smtpd_sender_login_maps
smtpd_sender_restrictions = permit_mynetworks reject_non_fqdn_sender
    reject_unknown_sender_domain
smtputf8_enable = no
strict_rfc821_envelopes = yes
transport_maps = hash:/etc/postfix/transport_maps $virtual_mailbox_domains
unverified_recipient_reject_code = 550
virtual_alias_maps = hash:/etc/postfix/virtual_alias_maps
virtual_mailbox_domains = hash:/etc/postfix/virtual_mailbox_domains
virtual_transport = lmtp


# postconf -Mf
smtp       inet  n       -       n       -       1       postscreen
smtpd      pass  -       -       n       -       -       smtpd
dnsblog    unix  -       -       n       -       0       dnsblog
tlsproxy   unix  -       -       n       -       0       tlsproxy
submission inet  n       -       n       -       -       smtpd
    -o syslog_name=postfix/submission
    -o smtpd_sasl_auth_enable=yes
    -o smtpd_sasl_security_options=noanonymous
    -o smtpd_sasl_type=dovecot
    -o smtpd_sasl_path=private/dovecot-auth
    -o broken_sasl_auth_clients=yes
    -o syslog_name=postfix/submission
    -o milter_macro_daemon_name=ORIGINATING
    -o local_header_rewrite_clients=static:all
    -o smtpd_reject_unlisted_recipient=no
    -o smtpd_client_restrictions=$mua_client_restrictions
    -o smtpd_helo_restrictions=$mua_helo_restrictions
    -o smtpd_sender_restrictions=$mua_sender_restrictions
    -o smtpd_relay_restrictions=$mua_relay_restrictions
    -o smtpd_recipient_restrictions=$mua_recipient_restrictions
    -o smtpd_data_restrictions=$mua_data_restrictions
    -o smtpd_end_of_data_restrictions=$mua_end_of_data_restrictions
pickup     unix  n       -       n       60      1       pickup
cleanup    unix  n       -       n       -       0       cleanup
qmgr       unix  n       -       n       300     1       qmgr
tlsmgr     unix  -       -       n       1000?   1       tlsmgr
rewrite    unix  -       -       n       -       -       trivial-rewrite
bounce     unix  -       -       n       -       0       bounce
defer      unix  -       -       n       -       0       bounce
trace      unix  -       -       n       -       0       bounce
verify     unix  -       -       n       -       1       verify
flush      unix  n       -       n       1000?   0       flush
proxymap   unix  -       -       n       -       -       proxymap
proxywrite unix  -       -       n       -       1       proxymap
smtp       unix  -       -       n       -       -       smtp
relay      unix  -       -       n       -       -       smtp
    -o syslog_name=postfix/$service_name
showq      unix  n       -       n       -       -       showq
error      unix  -       -       n       -       -       error
retry      unix  -       -       n       -       -       error
discard    unix  -       -       n       -       -       discard
local      unix  -       n       n       -       -       local
virtual    unix  -       n       n       -       -       virtual
lmtp       unix  -       -       n       -       -       lmtp
anvil      unix  -       -       n       -       1       anvil
scache     unix  -       -       n       -       1       scache
postlog    unix-dgram n  -       n       -       1       postlogd


# cat virtual_mailbox_domains
# This file is shared between Postfix virtual_mailbox_domains and transport_maps
example.com :unix:private/dovecot-lmtp


# cat postscreen_access_list
#192.168.0.1           permit
#192.168.0.0/16        reject


# cat smtpd_client_access
#10.0.5.52    PERMIT


# Mail log when sending to @example.com
<mail.info>Mar 26 11:25:29 vmsrv-node1 postfix/postscreen[5221]: CONNECT from 
[10.0.0.6]:35424 to [10.0.5.51]:25
<mail.info>Mar 26 11:25:29 vmsrv-node1 postfix/postscreen[5221]: PASS OLD 
[10.0.0.6]:35424
<mail.info>Mar 26 11:25:29 vmsrv-node1 postfix/smtpd[2870]: connect from 
rp4-8g.home.lan[10.0.0.6]
<mail.info>Mar 26 11:25:29 vmsrv-node1 postfix/cleanup[2856]: 20423DF2DC: 
message-id=<20260326112529.20423df...@vmsrv-node1.home.lan>
<mail.info>Mar 26 11:25:29 vmsrv-node1 postfix/qmgr[3000]: 20423DF2DC: 
from=<double-bou...@vmsrv-node1.home.lan>, size=270, nrcpt=1 (queue active)
<mail.err>Mar 26 11:25:29 vmsrv-node1 dovecot: lmtp(4794): Error: SSL context 
initialization failed, disabling SSL: Couldn't initialize SSL server context: 
Can't load SSL certificate (ssl_server_cert_file setting): The certificate is 
empty
<mail.info>Mar 26 11:25:29 vmsrv-node1 dovecot: lmtp(4794): Connect from local
<mail.info>Mar 26 11:25:29 vmsrv-node1 dovecot: lmtp(4794): Disconnect from 
local: Logged out (state=READY)
<mail.info>Mar 26 11:25:29 vmsrv-node1 postfix/lmtp[5114]: 20423DF2DC: 
to=<ma...@example.com>, relay=vmsrv-node1.home.lan[private/dovecot-lmtp], 
delay=0.05, delays=0/0.01/0.02/0.02, dsn=2.1.5, status=deliverable (250 2.1.5 
OK)
<mail.info>Mar 26 11:25:29 vmsrv-node1 postfix/qmgr[3000]: 20423DF2DC: removed
<mail.info>Mar 26 11:25:32 vmsrv-node1 postfix/smtpd[2870]: 1E551DF2DC: 
client=rp4-8g.home.lan[10.0.0.6]
<mail.info>Mar 26 11:25:32 vmsrv-node1 postfix/cleanup[2856]: 1E551DF2DC: 
message-id=<20260326112528.4958f53ec803365fcc2c2...@example.com>
<mail.info>Mar 26 11:25:32 vmsrv-node1 postfix/qmgr[3000]: 1E551DF2DC: 
from=<ma...@example.com>, size=558, nrcpt=1 (queue active)
<mail.info>Mar 26 11:25:32 vmsrv-node1 postfix/smtpd[2870]: disconnect from 
rp4-8g.home.lan[10.0.0.6] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
<mail.err>Mar 26 11:25:32 vmsrv-node1 dovecot: lmtp(3524): Error: SSL context 
initialization failed, disabling SSL: Couldn't initialize SSL server context: 
Can't load SSL certificate (ssl_server_cert_file setting): The certificate is 
empty
<mail.info>Mar 26 11:25:32 vmsrv-node1 dovecot: lmtp(3524): Connect from local
<mail.info>Mar 26 11:25:32 vmsrv-node1 dovecot: 
lmtp(ma...@example.com)<3524><aP2hFawXxWnEDQAAhMKA4g>: 
msgid=<20260326112528.4958f53ec803365fcc2c2...@example.com>: saved mail to INBOX
<mail.info>Mar 26 11:25:32 vmsrv-node1 postfix/lmtp[5114]: 1E551DF2DC: 
to=<ma...@example.com>, relay=vmsrv-node1.home.lan[private/dovecot-lmtp], 
delay=3.3, delays=3.2/0/0.04/0.02, dsn=2.0.0, status=sent (250 2.0.0 
<ma...@example.com> aP2hFawXxWnEDQAAhMKA4g Saved)
<mail.info>Mar 26 11:25:32 vmsrv-node1 postfix/qmgr[3000]: 1E551DF2DC: removed
<mail.info>Mar 26 11:25:32 vmsrv-node1 dovecot: lmtp(3524): Disconnect from 
local: Logged out (state=READY)
<mail.info>Mar 26 11:25:32 vmsrv-node1 dovecot: imap-login: Logged in: 
user=<ma...@example.com>, method=PLAIN, rip=10.0.0.6, lip=10.0.5.51, mpid=4641, 
session=<OxR6pOtNcuwKAAAG>


# Mail log when sending to @gmail.com
<mail.info>Mar 26 11:52:31 vmsrv-node1 postfix/anvil[3263]: statistics: max 
connection rate 1/60s for (submission:10.0.0.6) at Mar 26 11:47:33
<mail.info>Mar 26 11:52:31 vmsrv-node1 postfix/anvil[3263]: statistics: max 
connection count 1 for (submission:10.0.0.6) at Mar 26 11:47:33
<mail.info>Mar 26 11:52:31 vmsrv-node1 postfix/anvil[3263]: statistics: max 
cache size 1 at Mar 26 11:47:33
<mail.info>Mar 26 11:52:38 vmsrv-node1 postfix/postscreen[5733]: cache 
btree:/var/db/postfix/postscreen_cache full cleanup: retained=0 dropped=0 
entries
<mail.info>Mar 26 11:52:38 vmsrv-node1 postfix/postscreen[5733]: CONNECT from 
[10.0.0.6]:42130 to [10.0.5.51]:25
<mail.info>Mar 26 11:52:44 vmsrv-node1 postfix/postscreen[5733]: PASS NEW 
[10.0.0.6]:42130
<mail.info>Mar 26 11:52:44 vmsrv-node1 postfix/smtpd[3762]: connect from 
rp4-8g.home.lan[10.0.0.6]
<mail.info>Mar 26 11:52:44 vmsrv-node1 postfix/smtpd[3762]: NOQUEUE: reject: 
RCPT from rp4-8g.home.lan[10.0.0.6]: 554 5.7.1 <nosuchu...@gmail.com>: Relay 
access denied; from=<ma...@example.com> to=<nosuchu...@gmail.com> proto=ESMTP 
helo=<rp4-8g.home.lan>
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org