Securing Postfix/Dovecot: Disabling Unencrypted Ports & Understanding Submission Service in Email Server Configuration


2 views

When running nmap against a standard Postfix/Dovecot setup, we typically see these ports open:

25/tcp  open  smtp
80/tcp  open  http
110/tcp open  pop3
143/tcp open  imap
465/tcp open  smtps
587/tcp open  submission
993/tcp open  imaps
995/tcp open  pop3s

To disable unsecured protocols while maintaining full email functionality:

# In /etc/dovecot/conf.d/10-master.conf
service imap-login {
  inet_listener imap {
    port = 0  # Disable plain IMAP
  }
  inet_listener imaps {
    port = 993
  }
}

service pop3-login {
  inet_listener pop3 {
    port = 0  # Disable plain POP3
  }
  inet_listener pop3s {
    port = 995
  }
}

# In /etc/postfix/master.cf
smtp      inet  n       -       y       -       -       smtpd
  -o smtpd_tls_wrappermode=no
  -o smtpd_tls_security_level=may

The submission port (587) serves crucial functions:

  • Mail client authentication (SMTP AUTH)
  • Mandatory STARTTLS for modern email clients
  • Different message handling rules than port 25

Configure it properly in master.cf:

submission inet n       -       y       -       -       smtpd
  -o syslog_name=postfix/submission
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject

For localhost-only IMAP access:

# In /etc/dovecot/conf.d/10-master.conf
service imap-login {
  inet_listener imaps {
    address = 127.0.0.1
    port = 993
  }
}

# Then configure Roundcube to use localhost:
$config['default_host'] = 'ssl://127.0.0.1';
$config['default_port'] = 993;

For servers without TLS support:

  1. Configure Postfix to force TLS when possible:
    2. smtp_tls_security_level = may
  2. Set proper MX fallback records
  3. Implement DANE (DNS-Based Authentication) where supported

The nmap scan reveals your mail server is running both encrypted and unencrypted protocols:

25/tcp  open  smtp        # Unencrypted SMTP
80/tcp  open  http        # Web server
110/tcp open  pop3        # Unencrypted POP3
143/tcp open  imap        # Unencrypted IMAP
465/tcp open  smtps       # SSL-wrapped SMTP
587/tcp open  submission  # SMTP submission port
993/tcp open  imaps       # SSL-wrapped IMAP
995/tcp open  pop3s       # SSL-wrapped POP3

To disable unsecured protocols while maintaining functionality:

# Postfix main.cf configuration:
smtpd_port = 465
inet_protocols = ipv4
smtp_tls_security_level = encrypt
smtpd_tls_security_level = encrypt

# Dovecot dovecot.conf configuration:
protocols = imaps pop3s
service imap-login {
  inet_listener imap {
    port = 0  # Disable plain IMAP
  }
  inet_listener imaps {
    port = 993
  }
}

service pop3-login {
  inet_listener pop3 {
    port = 0  # Disable plain POP3
  }
  inet_listener pop3s {
    port = 995
  }
}

The submission port (587) is crucial for:

# In Postfix master.cf:
submission inet n       -       y       -       -       smtpd
  -o syslog_name=postfix/submission
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject

To limit IMAPS access to local Roundcube installation:

# In Dovecot configuration:
service imap-login {
  inet_listener imaps {
    port = 993
    address = 127.0.0.1  # Only listen on localhost
  }
}

# For Roundcube configuration (config.inc.php):
$config['default_host'] = 'ssl://localhost';
$config['default_port'] = 993;
$config['imap_auth_type'] = 'LOGIN';
$config['imap_conn_options'] = array(
  'ssl' => array(
    'verify_peer' => false,
    'verify_peer_name' => false,
    'allow_self_signed' => true
  )
);

For outgoing mail to servers without TLS support:

# In Postfix main.cf:
smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
smtp_tls_note_starttls_offer = yes

# Contents of /etc/postfix/tls_policy:
example.com  may  # Allow non-TLS for specific domains
*             encrypt  # Default to TLS for all others