On Wed, Nov 09, 2016 at 12:47:05AM -0800, vod vos wrote:
> How to forbid using openssl.. starttls to connect port 25?
You can only do that by disabling TLS entirely, but that does not
seem to be what you're asking for. On the receiving end, there is
no way to distinguish between "openssl -starttls tls" and an actual
TLS-capable MTA.
> Or how to forbid AUTH PLAIN on port 25, and just using port 587
> for submission?
That's easy enough, only enable sasl auth on port 587 via the
appropriate master.cf "-o smtpd_...=value" override settings,
and require TLS on port 587:
master.cf:
smtp inet ... smtpd
...
-o smtp_relay_restrictions=$mua_relay_restrictions
-o smtp_recipient_restrictions=$mua_recipient_restrictions
-o smtpd_tls_security_level=encrypt
-o smtpd_tls_auth_only=yes
-o smtpd_sasl_auth_enable=yes
main.cf:
# Postfix 2.10 or later, else recipient restrictions
mua_relay_restictions = permit_sasl_authenticated, reject
# Default off
smtpd_sasl_auth_enable = no
# Minimum recommended server TLS settings:
#
# Also see: http://www.postfix.org/FORWARD_SECRECY_README.html
#
smtpd_tls_security_level = may
smtpd_tls_loglevel = 1
smtpd_tls_protocols = !SSLv2, !SSLv3
smtpd_tls_ciphers = medium
tls_preempt_cipherlist = yes
--
Viktor.
