Configuring Postfix for TLS and Auth Enforcement on Port 587 While Keeping TLS Optional on Port 25


10 views

When setting up a mail server with Postfix, different ports serve distinct purposes in email delivery:

  • Port 25 (SMTP): Primarily for server-to-server communication where TLS may be optional
  • Port 587 (Submission): Designed for email clients where TLS and authentication should be mandatory

The key to implementing port-specific policies lies in Postfix's master.cf file, where we can define separate service instances with different restrictions:

# /etc/postfix/master.cf
# ==========================================================
# SMTP on port 25 (server-to-server)
smtp      inet  n       -       y       -       -       smtpd
  -o smtpd_tls_security_level=may
  -o smtpd_relay_restrictions=permit_mynetworks,reject
  -o smtpd_recipient_restrictions=reject_unauth_destination
  -o smtpd_client_restrictions=check_client_access hash:/etc/postfix/access_client

# Submission on port 587 (authenticated clients)
submission inet n       -       y       -       -       smtpd
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
  -o smtpd_client_restrictions=check_client_access hash:/etc/postfix/access_submission

For comprehensive protection, we'll implement RBL checks and SASL authentication policies:

# /etc/postfix/main.cf
smtpd_recipient_restrictions =
    permit_mynetworks,
    permit_sasl_authenticated,
    reject_unauth_destination,
    reject_rbl_client zen.spamhaus.org,
    reject_rhsbl_sender dbl.spamhaus.org,
    reject_rhsbl_helo dbl.spamhaus.org,
    check_policy_service unix:private/policy

smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous

Create separate access controls for different ports:

# /etc/postfix/access_client (for port 25)
# Allow authenticated users even if blacklisted
*@mydomain.com OK
# Standard RBL checks for others
* REJECT Your IP is listed in Spamhaus

# /etc/postfix/access_submission (for port 587)
# Skip PBL checks for submission port
* REJECT Your IP is listed in Spamhaus (XBL/SBL)

When implementing these restrictions, be aware of:

  • Some legacy systems may struggle with mandatory TLS on 587
  • Mobile clients might cache incorrect authentication settings
  • DNSBL false positives can occasionally block legitimate senders

Use these commands to verify your configuration:

# Test TLS enforcement on port 587:
openssl s_client -connect mail.example.com:587 -starttls smtp -tlsextdebug

# Check authentication requirements:
telnet mail.example.com 25
EHLO example.com
AUTH PLAIN

# Verify RBL checks:
postmap -q 1.2.3.4 cidr:/etc/postfix/rbl_override

Remember to reload Postfix after configuration changes:

systemctl reload postfix

If you encounter problems:

  1. Check mail logs: journalctl -u postfix -f
  2. Verify SASL authentication: testsaslauthd -u user -p password
  3. Test RBL responses: host 4.3.2.1.zen.spamhaus.org

When setting up a mail server with Postfix, it's common to need different security policies for different ports. Port 25 (standard SMTP) typically needs to maintain backward compatibility, while port 587 (submission) should enforce modern security standards.

The key to implementing port-specific policies lies in the master.cf file. Here's how to configure it:

# ==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (yes)   (never) (100)
# ==========================================================================
smtp      inet  n       -       y       -       -       smtpd
  -o smtpd_tls_security_level=may
  -o smtpd_sender_restrictions=reject_unknown_sender_domain
  -o smtpd_relay_restrictions=permit_mynetworks,reject

submission inet n       -       y       -       -       smtpd
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject_rbl_client

For Spamhaus protection, we can extend the restrictions:

smtp      inet  n       -       y       -       -       smtpd
  -o smtpd_client_restrictions=
      permit_mynetworks,
      permit_sasl_authenticated,
      reject_rbl_client zen.spamhaus.org,
      reject_rhsbl_sender dbl.spamhaus.org,
      reject_rhsbl_helo dbl.spamhaus.org,
      reject_rhsbl_reverse_client dbl.spamhaus.org,
      check_client_access hash:/etc/postfix/access_client,
      permit

To properly handle auth requirements:

# For port 25 (optional TLS with auth when TLS is active)
smtp      inet  n       -       y       -       -       smtpd
  -o smtpd_tls_security_level=may
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_tls_auth_only=yes
  -o smtpd_recipient_restrictions=
      permit_mynetworks,
      permit_sasl_authenticated,
      reject_unauth_destination

Some legacy systems might struggle with these requirements:

  • Older mail servers that don't support STARTTLS on port 25
  • Mobile clients with outdated authentication mechanisms
  • Certain mailing list software that expects different port behaviors

Always verify your setup with these commands:

# Test port 25 (should allow plaintext but require TLS for auth)
telnet your.server.com 25
EHLO example.com
STARTTLS

# Test port 587 (should immediately require TLS)
openssl s_client -connect your.server.com:587 -starttls smtp
  1. Ensure your certificate chain is properly configured
  2. Verify that your SASL implementation (Cyrus/Dovecot) works
  3. Check that your blacklist DNS queries aren't being blocked
  4. Monitor your mail logs for any rejected legitimate traffic