[pfx] Re: force to use starttls on port 587

Tue, 04 Jun 2024 02:27:00 -0700 

On 03.06.24 20:55, Jeff P via Postfix-users wrote:

I have closed sasl auth on port 25.
but users still can use port 587 for login with plain text.
how can I force users to use submission via start-tls only?
I know I can open port 465 for ssl connection. but for history reason the port 587 must be open. 


I wonder how did you configure port 587, since the default master.cf contains 
instructions for requiring TLS and also disables unautenticated clients:


#submission inet n       -       n       -       -       smtpd
#  -o syslog_name=postfix/submission
#  -o smtpd_tls_security_level=encrypt
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_tls_auth_only=yes
[...]
#  -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject

On 04.06.24 08:03, Jeff P via Postfix-users wrote:

After postfix and dovecot were installed, there are 4 ports open by default.

port 587
port 25
port 993
port 143

So I have improved them by implementing:

1. close public port 143
2. disable sasl auth on port 25
3. force smtp client to login using tls only on port 587


the 3. is implied by 2., although you can tune it a bit

e.g. my main.cf:

mua_client_restrictions = permit_sasl_authenticated, check_client_access 
static:{530 5.7.0 Authentication Required.}
and in master.cf:

submission inet n       -       y       -       -       smtpd
  -o syslog_name=postfix/submission
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_tls_auth_only=yes
#  -o smtpd_reject_unlisted_recipient=no
  -o smtpd_client_restrictions=$mua_client_restrictions
[...]
smtps     inet  n       -       y       -       -       smtpd
  -o syslog_name=postfix/smtps
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_reject_unlisted_recipient=no
  -o smtpd_client_restrictions=$mua_client_restrictions




do you think there is any stuff I am missing?



Use postscreen on port 25, it will drop many bots from trying to connect and 
send mail through your server.


http://www.postfix.org/POSTSCREEN_README.html


--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
If Barbie is so popular, why do you have to buy her friends?
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org






















					Reply via email to