Re: Stop sasl mail submission on port 25

Thu, 13 Sep 2018 12:01:08 -0700 

edg973:
> Hello dear Postfix users,
> I am managing a postfix server (version 2.5.5), but I did not installed it.
> This server accept mail submission on port 25 after sasl authentication... I
> would like to stop it, because this is a security issue. External servers on
> internet are trying brute force attacks on passwords...
> It is also configured to use port 465 smtp over tls for the users of the
> domain of my local lan.
> 
> According this links :
> https://unix.stackexchange.com/questions/145499/postfix-disable-authentication-through-port-25
> It is possible to stop sasl mail submission on port 25.
> 
> I am not familiar with mail system, is it the good way to do ?
> I am also wondering if I could add support for smtps port 587 in master.cf
> (for the moment only 465 is set).
> Can both 465 and 587 ports be configured at same time ?

Unfortunately, that link shows how to turn off TLS and SASL on port
25, which is not what you want. And yes, port 25 (smtp), 465 (smtps)
and 587 (submission) can be enabled at the same time.

Below is a Postfix 2.6.0 fragment of the master.cf file. You are
expected to uncomment the relevant sections. This assumes that you
have no smtpd_sasl_auth_enable settings in main.cf.

        Wietse

#
# Postfix master process configuration file.  For details on the format
# of the file, see the master(5) manual page (command: "man 5 master" or
# on-line: http://www.postfix.org/master.5.html).
#
# Do not forget to execute "postfix reload" after editing this file.
#
# ==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (no)    (never) (100)
# ==========================================================================
smtp      inet  n       -       n       -       -       smtpd
#submission inet n       -       n       -       -       smtpd
#  -o smtpd_tls_security_level=encrypt
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
#smtps     inet  n       -       n       -       -       smtpd
#  -o smtpd_tls_wrappermode=yes
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING

Reply via email to