On 3/20/2019 11:39 AM, Ralph Seichter wrote: > * Yassine Chaouche: > >> So the only thing that I need submission port for seems to be to force >> TLS connexions, right ? > > You already mentioned having different policies, so the possibilities > are numerous. Having the dedicated submission port allows me to easily > force encryption, force authentication (password, client certificates), > limit users to certain sender domains, add DKIM signatures, to name just > some examples. I can also flat out reject envelope senders foo@mydomain > on port 25, add DNS BL/WL checks, various milters, etc. > > In my experience it is easier to configure (and understand) how your > Postfix instances are operating when inbound and outbound emails are > entering via separate ports.
The similarity between the two ports is that they both allow a means of entry for an email into the server. Beside that, they can (and usually do) have differing policies regarding that entry. Keeping the two entry streams separate makes it easier to put the differing policies into place and to enforce those policies. If someone, for whatever reason, has very similar policies for the two ports, then for that person, the distinction of having two separate ports becomes less apparent.
