On Thu, Aug 15, 2019 at 02:52:12PM +0800, Eliza wrote: > My MTA (postfix) has both 25 (non-SSL) and 465 (SSL) ports enabled.
Don't confuse port 25 used for (MTA-to-MTA) SMTP (inter-domain email relay), with ports 587 and 465 used in the MUA-to-MTA *SUBMIT* protocol, which is very similar to MTA-to-MTA SMTP, but serves a different need and differs in some details, like the ports used. Except through bileteral arrangements or abuse of your systems, no remote system will send you email on ports other than 25. > How to enforce the peer MTA send messages only to 465 port for better > secure communication? This is not possible. > Can I just shutdown port 25? No. But you can enable inbound STARTTLS. http://www.postfix.org/TLS_README.html#quick-start Once you've mastered that, you can DNSSEC-sign your domain, and publish TLSA records. https://mail.sys4.de/pipermail/dane-users/2018-February/000440.html https://github.com/baknu/DANE-for-SMTP/wiki/2.-Implementation-resources and enable DANE outbound: http://www.postfix.org/TLS_README.html#client_tls_dane main.cf: smtp_dns_support_level = dnssec smtp_tls_security_level = dane /etc/resolv.conf # A validating *local* resolver nameserver 127.0.0.1 -- Viktor.