On Tue, Nov 15, 2022 at 01:12:49PM -0300, Christian Schmitz wrote: > I have a postfix server running for years, send and receive emails well with > another servers and the email clients ( kmail) are in the internal trusted > network.
As a matter of existing best practice, submission of mail from MUAs should use ports 587 (SMTP + STARTTLS) and/or 465 (implicit or wrapper-mode TLS) and NOT port 25. The stock Postfix master.cf file has commented out definitions of submission services that you can uncomment and tune to your needs: * Port 587 "submission" (see /etc/services and/or Postfix 3.6 or later <https://www.postfix.org/postconf.5.html#known_tcp_ports> # Choose one: enable submission for loopback clients only, or for any client. #127.0.0.1:submission inet n - n - - smtpd #submission inet n - n - - smtpd # -o syslog_name=postfix/submission # -o smtpd_tls_security_level=encrypt # -o smtpd_sasl_auth_enable=yes # -o smtpd_tls_auth_only=yes # -o local_header_rewrite_clients=static:all # -o smtpd_reject_unlisted_recipient=no # Instead of specifying complex smtpd_<xxx>_restrictions here, # specify "smtpd_<xxx>_restrictions=$mua_<xxx>_restrictions" # here, and specify mua_<xxx>_restrictions in main.cf (where # "<xxx>" is "client", "helo", "sender", "relay", or "recipient"). # -o smtpd_client_restrictions= # -o smtpd_helo_restrictions= # -o smtpd_sender_restrictions= # -o smtpd_relay_restrictions= # -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject # -o milter_macro_daemon_name=ORIGINATING * Port 465 "submissions" (see /etc/services and/or Postfix 3.6 or later <https://www.postfix.org/postconf.5.html#known_tcp_ports> # Choose one: enable submissions for loopback clients only, or for any client. #127.0.0.1:submissions inet n - n - - smtpd #submissions inet n - n - - smtpd # -o syslog_name=postfix/submissions # -o smtpd_tls_wrappermode=yes # -o smtpd_sasl_auth_enable=yes # -o local_header_rewrite_clients=static:all # -o smtpd_reject_unlisted_recipient=no # Instead of specifying complex smtpd_<xxx>_restrictions here, # specify "smtpd_<xxx>_restrictions=$mua_<xxx>_restrictions" # here, and specify mua_<xxx>_restrictions in main.cf (where # "<xxx>" is "client", "helo", "sender", "relay", or "recipient"). # -o smtpd_client_restrictions= # -o smtpd_helo_restrictions= # -o smtpd_sender_restrictions= # -o smtpd_relay_restrictions= # -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject # -o milter_macro_daemon_name=ORIGINATING > In the near future i will require use the from outside of company ( internet > ) > and i found that some internet services on argentine block the port 25 > making impossible connect the MUA with the postfix. See above. > So i think that i can open the postfix on a unprivileged port ( Ex 20025) > These port normally are open ( because the customer check the cameras and > other services). > The question: > 1) How i do that, ( i suspect that must be relatively easy) > 2) Any extra security risk. (additional to the keep a service on internet) See above. No extra security risk, separate submission services are best practice, with SASL generally disabled on port 25 and available only on the submission ports and only after STARTTLS (in the case of port 587 STARTTLS). -- Viktor.
