On Thu, Aug 15, 2019 at 02:52:12PM +0800, Eliza wrote:
> My MTA (postfix) has both 25 (non-SSL) and 465 (SSL) ports enabled.
Don't confuse port 25 used for (MTA-to-MTA) SMTP (inter-domain email
relay), with ports 587 and 465 used in the MUA-to-MTA *SUBMIT*
protocol, which is very similar to MTA-to-MTA SMTP, but serves a
different need and differs in some details, like the ports used.
Except through bileteral arrangements or abuse of your systems, no
remote system will send you email on ports other than 25.
> How to enforce the peer MTA send messages only to 465 port for better
> secure communication?
This is not possible.
> Can I just shutdown port 25?
No. But you can enable inbound STARTTLS.
http://www.postfix.org/TLS_README.html#quick-start
Once you've mastered that, you can DNSSEC-sign your domain, and publish
TLSA records.
https://mail.sys4.de/pipermail/dane-users/2018-February/000440.html
https://github.com/baknu/DANE-for-SMTP/wiki/2.-Implementation-resources
and enable DANE outbound:
http://www.postfix.org/TLS_README.html#client_tls_dane
main.cf:
smtp_dns_support_level = dnssec
smtp_tls_security_level = dane
/etc/resolv.conf
# A validating *local* resolver
nameserver 127.0.0.1
--
Viktor.
