Postfix SMTP vs SMTPD: Understanding the Critical Differences in Mail Server Processes


1 views

In Postfix's architecture, smtp and smtpd represent two distinct processes with specialized roles:

# Process listing example:
postfix/master - the parent process
postfix/smtpd  - handles incoming SMTP connections (port 25, 587)
postfix/smtp   - handles outgoing mail delivery (port 465)

The smtpd process is your mail server's front door. It handles:

  • Incoming SMTP connections (both MX and submission)
  • Authentication (SASL)
  • Access control (via smtpd_* rules in main.cf)
  • TLS negotiation

The smtp process manages:

  • Outbound message delivery to other MX hosts
  • Queue management
  • Retry logic for failed deliveries
  • DNS lookups for MX records

Your spam incident reveals a critical configuration insight:

# Dangerous misconfiguration example:
smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination
smtp_recipient_restrictions = (empty or too permissive)

Attackers often exploit weaker smtp process restrictions when smtpd is properly secured.

Always mirror restrictions between both processes:

# Recommended security settings:
smtpd_recipient_restrictions = 
    permit_mynetworks,
    reject_unauth_destination,
    reject_unknown_recipient_domain,
    reject_rbl_client zen.spamhaus.org

smtp_recipient_restrictions =
    permit_mynetworks,
    reject_unauth_destination,
    reject_unknown_recipient_domain

Key differences in log entries:

# SMTPD log (incoming)
Dec 12 10:00:00 mail postfix/smtpd[1234]: connect from attacker.com[1.2.3.4]

# SMTP log (outgoing)
Dec 12 10:01:00 mail postfix/smtp[5678]: ABC123456: to=<victim@example.com>, relay=mx.example.com[5.6.7.8]

When examining Postfix mail server logs, you'll encounter two distinct components: postfix/smtp and postfix/smtpd. These represent fundamentally different operations:

# smtpd (server daemon) - inbound mail processing
# smtp (client) - outbound mail delivery

The smtpd process acts as the SMTP server that handles:

  • Incoming connections on port 25/587
  • Authentication (SASL)
  • Access control via smtpd_* rules

Example configuration:

# main.cf settings for smtpd
smtpd_banner = $myhostname ESMTP
smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination
smtpd_sasl_auth_enable = yes

The smtp process manages outbound delivery with:

  • DNS MX record lookups
  • Message queue processing
  • TLS encryption for remote servers

Example queue management command:

postqueue -p  # View mail queue
postsuper -d ALL  # Flush entire queue

In your compromise scenario, spam being sent via smtp suggests:

  1. Authentication bypass at submission level (smtpd)
  2. Compromised credentials allowing queue injection
  3. Open relay misconfiguration

Critical security settings:

smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, defer_unauth_destination
smtpd_sender_restrictions = reject_unknown_sender_domain

To identify suspicious activity:

grep 'postfix/smtp.*relay=' /var/log/maillog | awk '{print $7}' | sort | uniq -c | sort -n

This shows outbound delivery patterns - unexpected destinations indicate abuse.