Re: port 25 465 and 587 confusion.

[Muhammad Yousuf Khan]

@Peter

> Right, you really should not be allowing submission on port 25 at all.
>
>
> and is this segregation is a good thought of mine or practical?
>
> Yes
>
> > isn't 465 is useless and can i close this if yes then how?
>
> That depends on if you have users that have very old versions of Outlook
> which don't support STARTTLS.  In this case you should encourage or even
> require them to upgrade to a newer email client, but in case you can't
> do that then you might have to support port 465 for them.
>
> You close it by commenting out the smtps section in master.cf.
>
>
in light of your above suggestions. i enabled

smtp      inet  n       -       -       -       -       smtpd
#smtp      inet  n       -       -       -       1       postscreen
#smtpd     pass  -       -       -       -       -       smtpd
#dnsblog   unix  -       -       -       -       0       dnsblog
#tlsproxy  unix  -       -       -       -       0       tlsproxy
submission inet n       -       -       -       -       smtpd
  -o syslog_name=postfix/submission
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
  -o milter_macro_daemon_name=ORIGINATING
#smtps     inet  n       -       -       -       -       smtpd
#  -o syslog_name=postfix/smtps
#  -o smtpd_tls_wrappermode=yes
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING

main.cf, i enabled "smtpd_tls_security_level=encrypt"  (i know master.cf
entry will override but i set encryption in both files)

by disabling smtps. i disabled the 465 port. and also forced submission by
this line " submission inet n       -       -       -       -       smtpd"

however my clients can still submit emails on port 25. and also on 587
port. both work the same.
 can you please guide?





@Sebastion Nielsen
>IMHO I find it better to only allow submission from trusted nets. Better
to disable authentication completely, and completely >disable mail
submission ("relaying") from the "outside".
>Thus closing 587 completely.
>465 can be good to allow old (or misconfigured) SMTPS servers to send
incoming mail to you.


Thanks its a good idea i will also read and try to implement this in
separate environment though i think this approach is applicable when you
know your client IPs. if they are dynamic and can be anywhere thoughout the
word it is a headache to note down and allow all the IP. i think simple TLS
may do the job. i could be wrong but i am very new to mailing thing and
this is the point which makeing me stop doing it.