+1 (888) 578-8743

Freedom through Communications

In postfix, how to enforce tls + auth over 587 while leaving tls optional for 25

updated on

Paralife asked:

I would like to host mail services for some domains. I have succesfully setup postfix to consult sql for those virtual domains. What I would like to do is:

  • For connections on 25:

    1. Deny relaying (only deliver to recipients of my virtual domains)
    2. Leave tls optional, but offer auth only if client does tls
    3. Accept only non-blacklisted clients (e.g restrict XBL+SBL+PBL from spamhaus)
      or clients that do tls and auth (“friend mail servers” that are setup to authenticate with me with auth and tls)

  • For connections on 587:

    1. Enforce tls and auth
    2. Permit relaying.
    3. Accept only non-blacklisted clients (blacklists like above but leave out PBL checking)

My Questions:

  • A. I know of the postfix options for the above , but I cant find how to differentiate them based on the listening port.

  • B. Will I run into widely known problems with supposedly legit clients with the above policy?

I am new to mail server setup, sorry for any meaningless question/assupmtion (please point it). Thanks.

My answer:

That’s easy,

  1. In /etc/postfix/main.cf you will add/change

    smtpd_tls_security_level=may

    so that by default TLS is available (but optional).

  2. Then, in your /etc/postfix/master.cf you will override it for port 587 (the submission port) by overriding the parameter:

    submission inet n       -       n       -       -       smtpd
  -o smtpd_tls_security_level=encrypt

    This requires TLS for all submission (port 587) connections.

As for denying relaying, this is the default; relaying is allowed only for authenticated users, and IP addresses you specify in mynetworks.

Finally you can add blacklists in main.cf by appending to smtpd_recipient_restrictions:

    reject_rbl_client zen.spamhaus.org,

or whatever blacklists you wish. These should appear near the end of the list, just before the final permit.

One last thing. For more ideas on how to prevent spam, see Fighting Spam – What can I do as an: Email Administrator, Domain Owner, or User?

View the full question and any other answers on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.

Related Post

Is there an internal Windows 8 app store for enterprise?

Is there an internal Windows 8 app store for enterprise?

Error in a collation for german characters

Error in a collation for german characters

Problems with DNS

Problems with DNS

How do CNAME and A records interact (in this weird case)

How do CNAME and A records interact (in this weird case)

Difference between target policy 18 and 24 in SELinux

Difference between target policy 18 and 24 in SELinux

ipv6 transparent proxy usage using apache benchmark(ab) apache2-utils-2.2.22

ipv6 transparent proxy usage using apache benchmark(ab) apache2-utils-2.2.22