On Thu, Aug 15, 2019 at 02:52:12PM +0800, Eliza wrote:

> My MTA (postfix) has both 25 (non-SSL) and 465 (SSL) ports enabled.

Don't confuse port 25 used for (MTA-to-MTA) SMTP (inter-domain email
relay), with ports 587 and 465 used in the MUA-to-MTA *SUBMIT*
protocol, which is very similar to MTA-to-MTA SMTP, but serves a
different need and differs in some details, like the ports used.

Except through bileteral arrangements or abuse of your systems, no
remote system will send you email on ports other than 25.

> How to enforce the peer MTA send messages only to 465 port for better 
> secure communication?

This is not possible.

> Can I just shutdown port 25?

No.  But you can enable inbound STARTTLS.


Once you've mastered that, you can DNSSEC-sign your domain, and publish
TLSA records.


and enable DANE outbound:


        smtp_dns_support_level = dnssec
        smtp_tls_security_level = dane

        # A validating *local* resolver


Reply via email to