Re: port 25 465 and 587 confusion.

Mon, 06 Apr 2015 02:33:08 -0700

IMHO I find it better to only allow submission from trusted nets. Better to disable authentication completely, and completely disable mail submission ("relaying") from the "outside". 
Thus closing 587 completely.
465 can be good to allow old (or misconfigured) SMTPS servers to send incoming mail to you. 


By disabling authentication and ONLY allowing relaying from the "inside", 
you completely close the spam hole.
If theres no possibility to submit mail from the "outside" at all, then 
theres nothing to run a password cracker or dictionary attack at all on.



If you MUST accept submissions from the outside, I would suggest limiting 
this to a set of permitted IPs/IP ranges by using check_client_access to 
"permit_sasl_authenticated, reject_unauth_destination" only from authorized 
IP ranges, and "reject_unauth_destination" from

everyone else.

Then you limit the exposure to password crackers and dictionary-attacking 
relayers pretty much since they then must come from the same ISP or country 
as your authorized users (depending on your authorization list).



-----Ursprungligt meddelande----- 
From: Peter

Sent: Monday, April 06, 2015 11:18 AM
To: postfix-users@postfix.org
Subject: Re: port 25 465 and 587 confusion.

On 04/06/2015 08:05 PM, Muhammad Yousuf Khan wrote:

By Peter
-------------


    What you should be, at the very least, encouraging is STARTTLS over 
port

    587.  Whether you want to support some very old Outlook clients and

    offer TLS wrappermode over 465 is up to you but it is unlikely you 
will
    find anyone who still needs this old and deprecated form of 
submission.



what do you mean by "very least". is there any preferable way then
STARTTLS.


I mean that the very least you should do is encourage your users to use
port 587 with STARTTLS, you could do more by enforcing it.


- is this possible i enforce users/clients to only submit mails on port
587 and i leave 25 for server to server communication only.


Right, you really should not be allowing submission on port 25 at all.


and is this segregation is a good thought of mine or practical?


Yes


isn't 465 is useless and can i close this if yes then how?


That depends on if you have users that have very old versions of Outlook
which don't support STARTTLS.  In this case you should encourage or even
require them to upgrade to a newer email client, but in case you can't
do that then you might have to support port 465 for them.

You close it by commenting out the smtps section in master.cf.



Peter 



Attachment:
smime.p7s

Description: S/MIME Cryptographic Signature






















					Reply via email to