Essential Mail Server Port Configuration: Best Practices for Postfix on Ubuntu (Ports 25, 587, and Authentication)


3 views

When configuring a Postfix mail server on Ubuntu, understanding port usage is critical for both functionality and security. Here's the technical breakdown of essential ports:

# Common mail service ports (TCP)
25    - SMTP (Message Transfer)
587   - Submission (Authenticated SMTP)
465   - SMTPS (Legacy encrypted SMTP)
143   - IMAP
993   - IMAPS (Encrypted IMAP)

You must keep port 25 open for server-to-server communication, even when using encrypted alternatives. This is because:

  • MX record lookups universally expect port 25
  • Backward compatibility with older mail systems
  • Required for receiving mail from external domains

Example Postfix configuration for port 25 security:

# /etc/postfix/main.cf
smtpd_relay_restrictions = permit_mynetworks, reject_unauth_destination
smtpd_recipient_restrictions = reject_unauth_pipelining

Port 587 (Message Submission) should:

  • Always require authentication
  • Prefer STARTTLS encryption
  • Be your primary outbound port for mail clients

Enable submission in master.cf:

# /etc/postfix/master.cf
submission inet n - y - - smtpd
  -o syslog_name=postfix/submission
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject

For robust security:

  1. SASL Authentication (recommended):
    2. # Install SASL support
sudo apt install libsasl2-modules postfix-sasl

# Configure in main.cf
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
  2. IP-Based Restrictions (supplemental):
    3. smtpd_client_restrictions = 
    permit_mynetworks,
    reject_unknown_client_hostname,
    check_client_access hash:/etc/postfix/access,
    permit

While historically used for SSL-encrypted SMTP, modern practice favors STARTTLS on port 587. However, some legacy clients still require it:

# /etc/postfix/master.cf
smtps inet n - y - - smtpd
  -o syslog_name=postfix/smtps
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes

UFW rules for a balanced setup:

sudo ufw allow 25/tcp   # Inbound SMTP
sudo ufw allow 587/tcp  # Submission
sudo ufw allow 465/tcp  # SMTPS (if needed)
sudo ufw allow 993/tcp  # IMAPS
sudo ufw deny 110/tcp   # Block plain POP3
sudo ufw deny 143/tcp   # Block plain IMAP

When configuring a Postfix mail server on Ubuntu, proper port management is crucial for both functionality and security. The standard ports you'll encounter are:

  • Port 25 (SMTP): The traditional unencrypted port for mail transfer between servers
  • Port 587 (Submission): The preferred port for email clients to submit messages
  • Port 465 (SMTPS): Legacy encrypted SMTP port (still used by some services)
  • Port 993 (IMAPS): Encrypted IMAP for mail retrieval

Yes, but with strict configuration. Port 25 must remain open for server-to-server communication, as it's the standard port for MX record delivery. However, implement these security measures:

# In /etc/postfix/main.cf
smtpd_relay_restrictions = permit_mynetworks, reject_unauth_destination
smtpd_recipient_restrictions = reject_unknown_sender_domain, reject_unknown_recipient_domain
smtpd_sender_restrictions = reject_unknown_sender_domain

Port 587 should be your primary submission port with mandatory authentication. Configure it in Postfix with:

# Submission port configuration
submission inet n       -       y       -       -       smtpd
  -o syslog_name=postfix/submission
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
  -o milter_macro_daemon_name=ORIGINATING

For both security and deliverability, enforce authentication on submission ports:

# SASL authentication settings
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain = $myhostname
broken_sasl_auth_clients = yes

Here's a sample UFW configuration for a secure mail server:

# Allow necessary ports
sudo ufw allow 25/tcp
sudo ufw allow 587/tcp
sudo ufw allow 465/tcp
sudo ufw allow 993/tcp

# Rate limiting to prevent abuse
sudo ufw limit 25/tcp
sudo ufw limit 587/tcp

Implement regular port scans and log monitoring to detect abuse attempts:

# Check active connections
sudo netstat -tulnp | grep postfix

# Monitor mail logs
sudo tail -f /var/log/mail.log | grep -E 'reject|warning|error'