@Peter > Right, you really should not be allowing submission on port 25 at all. > > > and is this segregation is a good thought of mine or practical? > > Yes > > > isn't 465 is useless and can i close this if yes then how? > > That depends on if you have users that have very old versions of Outlook > which don't support STARTTLS. In this case you should encourage or even > require them to upgrade to a newer email client, but in case you can't > do that then you might have to support port 465 for them. > > You close it by commenting out the smtps section in master.cf. > > in light of your above suggestions. i enabled
smtp inet n - - - - smtpd #smtp inet n - - - 1 postscreen #smtpd pass - - - - - smtpd #dnsblog unix - - - - 0 dnsblog #tlsproxy unix - - - - 0 tlsproxy submission inet n - - - - smtpd -o syslog_name=postfix/submission -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o milter_macro_daemon_name=ORIGINATING #smtps inet n - - - - smtpd # -o syslog_name=postfix/smtps # -o smtpd_tls_wrappermode=yes # -o smtpd_sasl_auth_enable=yes # -o smtpd_client_restrictions=permit_sasl_authenticated,reject # -o milter_macro_daemon_name=ORIGINATING main.cf, i enabled "smtpd_tls_security_level=encrypt" (i know master.cf entry will override but i set encryption in both files) by disabling smtps. i disabled the 465 port. and also forced submission by this line " submission inet n - - - - smtpd" however my clients can still submit emails on port 25. and also on 587 port. both work the same. can you please guide? @Sebastion Nielsen >IMHO I find it better to only allow submission from trusted nets. Better to disable authentication completely, and completely >disable mail submission ("relaying") from the "outside". >Thus closing 587 completely. >465 can be good to allow old (or misconfigured) SMTPS servers to send incoming mail to you. Thanks its a good idea i will also read and try to implement this in separate environment though i think this approach is applicable when you know your client IPs. if they are dynamic and can be anywhere thoughout the word it is a headache to note down and allow all the IP. i think simple TLS may do the job. i could be wrong but i am very new to mailing thing and this is the point which makeing me stop doing it.